private static AWSCredentials GetCredentialSourceAWSCredentials(string credentialSourceType, bool throwIfInvalid)
{
AWSCredentials credentials;
CredentialSourceType type;
try
{
type = (CredentialSourceType)Enum.Parse(typeof(CredentialSourceType), credentialSourceType, true);
}
catch
{
return(ThrowOrReturnNull(string.Format(CultureInfo.InvariantCulture,
"Credential source [{0}] is invalid.", credentialSourceType), null, throwIfInvalid));
}
switch (type)
{
case CredentialSourceType.Ec2InstanceMetadata:
credentials = DefaultInstanceProfileAWSCredentials.Instance;
break;
case CredentialSourceType.Environment:
credentials = new EnvironmentVariablesAWSCredentials();
break;
case CredentialSourceType.EcsContainer:
string uri = Environment.GetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable);
if (string.IsNullOrEmpty(uri))
{
return(ThrowOrReturnNull(string.Format(CultureInfo.InvariantCulture,
"Container environment variable {0} is not set.", ECSTaskCredentials.ContainerCredentialsURIEnvVariable), null, throwIfInvalid));
}
credentials = new ECSTaskCredentials(null);
break;
default:
return(ThrowOrReturnNull(string.Format(CultureInfo.InvariantCulture,
"Credential source [{0}] is not implemented.", credentialSourceType), null, throwIfInvalid));
}
return(credentials);
}
public void TestECSCredentialsLocal()
{
string uri = "/ECS/Test/Endpoint/";
string accessKey = "SomeKey";
string secretKey = "SomeSecretKey";
string token = "Token";
string expiration = DateTime.UtcNow.AddHours(1).ToString("s") + "Z";
System.Environment.SetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable, uri);
using (ResponseTestServlet servlet = new ResponseTestServlet(uri))
{
string server = "http://*****:*****@"{{
""AccessKeyId"" : ""{0}"",
""SecretAccessKey"" : ""{1}"",
""Token"" : ""{2}"",
""Expiration"" : ""{3}""
}}", accessKey, secretKey, token, expiration);
ECSTaskCredentials generator = new ECSTaskCredentials();
FieldInfo serverField = generator.GetType().GetField("Server", BindingFlags.Instance | BindingFlags.NonPublic);
Assert.IsNotNull(serverField);
serverField.SetValue(generator, server);
ImmutableCredentials credentials = generator.GetCredentials();
Assert.AreEqual(accessKey, credentials.AccessKey);
Assert.AreEqual(secretKey, credentials.SecretKey);
Assert.AreEqual(token, credentials.Token);
}
System.Environment.SetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable, "");
}
public static bool TryGetCredentials(
this IAWSCredentialsArguments self,
PSHost psHost,
out AWSPSCredentials credentials,
SessionState sessionState)
{
if (self == null)
{
throw new ArgumentNullException("self");
}
credentials = null;
string name = null;
var source = CredentialsSource.Unknown;
var userSpecifiedProfile = !string.IsNullOrEmpty(self.ProfileName);
var profileChain = new CredentialProfileStoreChain(self.ProfileLocation);
// we probe for credentials by first checking the bound parameters to see if explicit credentials
// were supplied (keys, profile name, credential object), overriding anything in the shell environment
if (AWSCredentialsFactory.TryGetAWSCredentials(
self.GetCredentialProfileOptions(),
profileChain,
out var innerCredentials))
{
source = CredentialsSource.Strings;
name = "Supplied Key Parameters";
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
// user gave us the profile name?
if (innerCredentials == null && userSpecifiedProfile)
{
if (profileChain.TryGetProfile(self.ProfileName, out var credentialProfile))
{
innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain);
source = CredentialsSource.Profile;
name = self.ProfileName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
else
{
// if the user gave us an explicit profile name (and optional location) it's an error if we
// don't find it as otherwise we could drop through and pick up a 'default' profile that is
// for a different account
return(false);
}
}
// how about an aws credentials object?
if (innerCredentials == null && self.Credential != null)
{
innerCredentials = self.Credential;
source = CredentialsSource.CredentialsObject;
name = "Credentials Object";
// don't set proxy and callback, use self.Credential as-is
}
// shell session variable set (this allows override of machine-wide environment variables)
if (innerCredentials == null && sessionState != null)
{
if (TryGetAWSPSCredentialsFromConflictingType(
sessionState.PSVariable.GetValue(SessionKeys.AWSCredentialsVariableName),
out var psCredentials))
{
credentials = psCredentials;
source = CredentialsSource.Session;
innerCredentials = credentials.Credentials; // so remaining probes are skipped
// don't set proxy and callback, use credentials.Credentials as-is
}
}
// no explicit command-level or shell instance override set, start to inspect the environment
// starting environment variables
if (innerCredentials == null)
{
try
{
var environmentCredentials = new EnvironmentVariablesAWSCredentials();
innerCredentials = environmentCredentials;
source = CredentialsSource.Environment;
name = "Environment Variables";
// no need to set proxy and callback - only basic or session credentials
}
catch
{
}
}
// get credentials from a 'default' profile?
if (innerCredentials == null && !userSpecifiedProfile)
{
if (profileChain.TryGetProfile(SettingsStore.PSDefaultSettingName, out var credentialProfile) &&
credentialProfile.CanCreateAWSCredentials)
{
innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain);
source = CredentialsSource.Profile;
name = SettingsStore.PSDefaultSettingName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
}
// get credentials from a legacy default profile name?
if (innerCredentials == null)
{
if (profileChain.TryGetProfile(SettingsStore.PSLegacyDefaultSettingName, out var credentialProfile) &&
credentialProfile.CanCreateAWSCredentials)
{
if (AWSCredentialsFactory.TryGetAWSCredentials(
credentialProfile,
profileChain,
out innerCredentials))
{
source = CredentialsSource.Profile;
name = SettingsStore.PSLegacyDefaultSettingName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
}
}
if (innerCredentials == null)
{
// try and load credentials from ECS endpoint (if the relevant environment variable is set)
// or EC2 Instance Profile as a last resort
try
{
var relativeUri =
Environment.GetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable);
var fullUri = Environment.GetEnvironmentVariable(
ECSTaskCredentials.ContainerCredentialsFullURIEnvVariable);
if (!string.IsNullOrEmpty(relativeUri) || !string.IsNullOrEmpty(fullUri))
{
innerCredentials = new ECSTaskCredentials();
source = CredentialsSource.Container;
name = "Container";
// no need to set proxy and callback
}
else
{
innerCredentials = new InstanceProfileAWSCredentials();
source = CredentialsSource.InstanceProfile;
name = "Instance Profile";
// no need to set proxy and callback
}
}
catch
{
innerCredentials = null;
}
}
if (credentials == null && innerCredentials != null)
{
credentials = new AWSPSCredentials(innerCredentials, name, source);
}
return(credentials != null);
}
public void TestECSCredentialsLocal()
{
string uri = "/ECS/Test/Endpoint/";
string accessKey = "SomeKey";
string secretKey = "SomeSecretKey";
string token = "Token";
string expiration = DateTime.UtcNow.AddHours(1).ToString("s") + "Z";
System.Environment.SetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable, uri);
using (ResponseTestServlet servlet = new ResponseTestServlet(uri))
{
string server = "http://*****:*****@"{{
""AccessKeyId"" : ""{0}"",
""SecretAccessKey"" : ""{1}"",
""Token"" : ""{2}"",
""Expiration"" : ""{3}""
}}", accessKey, secretKey, token, expiration);
ECSTaskCredentials generator = new ECSTaskCredentials();
FieldInfo serverField = generator.GetType().GetField("Server", BindingFlags.Instance | BindingFlags.NonPublic );
Assert.IsNotNull(serverField);
serverField.SetValue(generator, server);
ImmutableCredentials credentials = generator.GetCredentials();
Assert.AreEqual(accessKey, credentials.AccessKey);
Assert.AreEqual(secretKey, credentials.SecretKey);
Assert.AreEqual(token, credentials.Token);
}
System.Environment.SetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable, "");
}
