public void TestNullRole()
{
AssertExtensions.ExpectException(() =>
{
var creds = new InstanceProfileAWSCredentials(null);
}, typeof(ArgumentNullException), "Value cannot be null." + Environment.NewLine + "Parameter name: role");
}
public void TestWhitespaceRole()
{
AssertExtensions.ExpectException(() =>
{
var creds = new InstanceProfileAWSCredentials(" ");
}, typeof(ArgumentException), "The argument 'role' must contain a valid role name.");
}
/// <summary>
/// Uses machine role permissions.
/// </summary>
/// <param name="_awsRegion">Aws region.</param>
/// <param name="_bucket">Bucket.</param>
/// <param name="_roleName">If specified will use the requested role.</param>
public S3NoSqlEngine(
string _awsRegion,
string _dataBucket,
string _indexBucket,
string _database,
string _roleName = null)
{
m_AwsRegion = _awsRegion;
AWSCredentials credentials;
if (_roleName == null)
{
credentials = new InstanceProfileAWSCredentials();
}
else
{
credentials = new InstanceProfileAWSCredentials(_roleName);
}
m_S3Client = new AmazonS3Client(credentials, S3Helper.GetRegionEndpoint(m_AwsRegion));
DataBucket = _dataBucket;
IndexBucket = _indexBucket;
Database = _database;
}
/// <exception cref="AggregateException">
/// If both InstanceProfile and EnvironmentVariable Credentials fail.
/// Contains AmazonClientExceptions for both InstanceProfile and EnvironmentVariable failures</exception>
/// <exception cref="AmazonClientException">If Basic (Account) Credentials fail</exception>
public bool TryGetCredentials(ILog log, out AWSCredentials credentials)
{
credentials = null;
if (Credentials.Type == "account")
{
try
{
credentials = new BasicAWSCredentials(Credentials.Account.AccessKey, Credentials.Account.SecretKey);
}
// Catching a generic Exception because AWS SDK throws undocumented exceptions.
catch (Exception e)
{
log.Warn("Unable to authorise credentials, see verbose log for details.");
log.Verbose($"Unable to authorise credentials for Account: {e}");
return(false);
}
}
else
{
try
{
// If not currently running on an EC2 instance,
// this will throw an exception.
credentials = new InstanceProfileAWSCredentials();
}
// Catching a generic Exception because AWS SDK throws undocumented exceptions.
catch (Exception instanceProfileException)
{
try
{
// The last attempt is trying to use Environment Variables.
credentials = new EnvironmentVariablesAWSCredentials();
}
// Catching a generic Exception because AWS SDK throws undocumented exceptions.
catch (Exception environmentVariablesException)
{
log.Warn("Unable to authorise credentials, see verbose log for details.");
log.Verbose($"Unable to authorise credentials for Instance Profile: {instanceProfileException}");
log.Verbose($"Unable to authorise credentials for Environment Variables: {environmentVariablesException}");
return(false);
}
}
}
if (Role.Type == "assumeRole")
{
credentials = new AssumeRoleAWSCredentials(credentials,
Role.Arn,
Role.SessionName ?? DefaultSessionName,
new AssumeRoleAWSCredentialsOptions
{
ExternalId = Role.ExternalId, DurationSeconds = Role.SessionDuration
});
}
return(true);
}
public static void TestAsyncAwaitMethods()
{
var credentials = new InstanceProfileAWSCredentials();
//var credentials = new StoredProfileAWSCredentials("elore");
var amazonS3Client = new AmazonS3Client(credentials, RegionEndpoint.USEast1);
var amazonS3Integration = new AmazonS3Integration(amazonS3Client);
Console.WriteLine("OK");
Task.Run(() => amazonS3Integration.CopiarArquivo("video_profile.mp4", "conteudo-oregon-temp"));
Console.ReadKey();
}
/*
* Activation of this module requires an app.config file with a MySQL section, this applies to both .NET Framework and .NET Core applications
* first add a new section to config sections for MySQL
* <section name="MySQL" type="MySql.Data.MySqlClient.MySqlConfiguration,MySql.Data"/>
* then add a MySQL section that looks like this
* <MySQL>
* <Replication>
* <ServerGroups>
* </ServerGroups>
* </Replication>
* <CommandInterceptors/>
* <ExceptionInterceptors/>
* <AuthenticationPlugins>
* <add name="mysql_clear_password" type="ReportingXpress.Common.AWS.RDS.MySQLRoleAuthenticationPlugin, ReportingXpress.Common"></add>
* </AuthenticationPlugins>
* </MySQL>
*/
///// <summary>
///// generate a new RDS authentication ticket
///// </summary>
///// <param name="serverName"></param>
///// <param name="portNumber"></param>
///// <param name="userId"></param>
///// <returns></returns>
protected override ExpiringRDSTicket GetRDSAuthenticationTicket(string serverName, int portNumber, string userId)
{
serverName = VerifyRdsAddress(serverName);
ExpiringRDSTicket returnValue = new ExpiringRDSTicket();
RegionEndpoint regionEndPoint = FallbackRegionFactory.GetRegionEndpoint();
AWSCredentials roleCredentials = new InstanceProfileAWSCredentials();
returnValue.AuthorizationTicket = RDSAuthTokenGenerator.GenerateAuthToken(roleCredentials, regionEndPoint, serverName, portNumber, userId);
//tickets expire in 15 minutes, but Windows time drift is up to a minute in this case, so give it a buffer of 3 minutes
returnValue.ExpiresUtc = DateTime.UtcNow.AddMinutes(14);
return(returnValue);
}
public static async Task <string> GetForgeKeysSSM(string SSMkey)
{
try
{
AWSCredentials awsCredentials = new InstanceProfileAWSCredentials();
GetParameterRequest parameterRequest = new GetParameterRequest()
{
Name = SSMkey
};
AmazonSimpleSystemsManagementClient client = new AmazonSimpleSystemsManagementClient(awsCredentials, Amazon.RegionEndpoint.GetBySystemName(Environment.GetEnvironmentVariable("AWS_REGION")));
GetParameterResponse response = await client.GetParameterAsync(parameterRequest);
return(response.Parameter.Value);
}
catch (Exception e)
{
throw new Exception("Cannot obtain Amazon SSM value for " + SSMkey, e);
}
}
public static AWSCredentials LoadFromInstance()
{
var store = new CredentialProfileStoreChain();
store.TryGetAWSCredentials("default", out var awsCredentials);
if (awsCredentials == null && string.IsNullOrEmpty(EC2InstanceMetadata.InstanceId))
{
var firstRole = InstanceProfileAWSCredentials.GetAvailableRoles().FirstOrDefault();
if (firstRole != null)
{
awsCredentials = new InstanceProfileAWSCredentials(firstRole);
}
}
if (awsCredentials == null)
{
throw new ArgumentException($"{nameof(awsCredentials)} could not be loaded from the ~/.aws/credentials or the instance profile. Please pass explicitly.");
}
return(awsCredentials);
}
private string GetDBConnectionString()
{
string connectionStr = string.Empty;
string keyConnectionStr = "keyConn";
try
{
if (!this._memoryCache.TryGetValue(keyConnectionStr, out connectionStr))
{
//if (string.IsNullOrEmpty(connectionStr))
// connectionStr = @"Data Source=kongsqldb.cugvbjkpc2us.ca-central-1.rds.amazonaws.com;Initial Catalog=awsdb;Integrated Security=false;User ID=wjkong;Password=Wj730615!";
var creds = new InstanceProfileAWSCredentials();
var ssmClient = new AmazonSimpleSystemsManagementClient(creds);
var request = new GetParameterRequest()
{
Name = "/kongsolution/Prod/ConnectionStr",
WithDecryption = true
};
var response = ssmClient.GetParameterAsync(request).GetAwaiter().GetResult();
if (response.Parameter != null)
{
connectionStr = response.Parameter.Value;
var cacheEntryOptions = new MemoryCacheEntryOptions().SetSlidingExpiration(TimeSpan.FromDays(7));
this._memoryCache.Set(keyConnectionStr, connectionStr, cacheEntryOptions);
}
}
}
catch
{
}
return(connectionStr);
}
/// <summary>
/// Resolves the set of <see cref="AWSCredentials">AWS Credentials</see> based on the
/// combination of credential-related parameters that are specified.
/// </summary>
/// <remarks>
/// The order of resolution is as follows:
/// <list>
/// <item>
/// 1. If AccessKeyId is found
/// <item>a. If Session Token is found, returns Session AWS Credential</item>
/// <item>b. If no Session Token, returns a Base AWS Credential</item>
/// </item>
/// <item>
/// 2. If Profile Name is found, return a Stored Profile AWS Credential, with
/// an optional, overridden Profile Location
/// </item>
/// <item>
/// 3. If an IAM Role Name is specified, get the credentials from the local
/// EC2 instance IAM Role environment; if the special name '*' is used,
/// it uses the first IAM Role found in the current EC2 environment
/// </item>
/// <item>
/// 4. Otherwise, assume credentials are specified in environment variables
/// accessible to the hosting process and retrieve them from the following
/// variables:
/// <item><code>AWS_ACCESS_KEY_ID</code></item>
/// <item><code>AWS_SECRET_ACCESS_KEY</code></item>
/// <item><code></code>AWS_SESSION_TOKEN</code> (optional)</code></item>
/// </item>
/// </list>
/// </remarks>
public AWSCredentials ResolveCredentials()
{
AWSCredentials cr;
if (!string.IsNullOrEmpty(AwsAccessKeyId))
{
if (!string.IsNullOrEmpty(AwsSessionToken))
{
cr = new SessionAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey, AwsSessionToken);
}
else
{
cr = new Amazon.Runtime.BasicAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey);
}
}
else if (!string.IsNullOrEmpty(AwsProfileName))
{
cr = new StoredProfileAWSCredentials(AwsProfileName, AwsProfileLocation);
}
else if (!string.IsNullOrEmpty(AwsIamRole))
{
if (AwsIamRole == IAM_ROLE_ANY)
{
cr = new InstanceProfileAWSCredentials();
}
else
{
cr = new InstanceProfileAWSCredentials(AwsIamRole);
}
}
else
{
cr = new EnvironmentVariablesAWSCredentials();
}
return(cr);
}
public static bool TryGetCredentials(
this IAWSCredentialsArguments self,
PSHost psHost,
out AWSPSCredentials credentials,
SessionState sessionState)
{
if (self == null)
{
throw new ArgumentNullException("self");
}
credentials = null;
string name = null;
var source = CredentialsSource.Unknown;
var userSpecifiedProfile = !string.IsNullOrEmpty(self.ProfileName);
var profileChain = new CredentialProfileStoreChain(self.ProfileLocation);
// we probe for credentials by first checking the bound parameters to see if explicit credentials
// were supplied (keys, profile name, credential object), overriding anything in the shell environment
if (AWSCredentialsFactory.TryGetAWSCredentials(
self.GetCredentialProfileOptions(),
profileChain,
out var innerCredentials))
{
source = CredentialsSource.Strings;
name = "Supplied Key Parameters";
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
// user gave us the profile name?
if (innerCredentials == null && userSpecifiedProfile)
{
if (profileChain.TryGetProfile(self.ProfileName, out var credentialProfile))
{
innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain);
source = CredentialsSource.Profile;
name = self.ProfileName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
else
{
// if the user gave us an explicit profile name (and optional location) it's an error if we
// don't find it as otherwise we could drop through and pick up a 'default' profile that is
// for a different account
return(false);
}
}
// how about an aws credentials object?
if (innerCredentials == null && self.Credential != null)
{
innerCredentials = self.Credential;
source = CredentialsSource.CredentialsObject;
name = "Credentials Object";
// don't set proxy and callback, use self.Credential as-is
}
// shell session variable set (this allows override of machine-wide environment variables)
if (innerCredentials == null && sessionState != null)
{
if (TryGetAWSPSCredentialsFromConflictingType(
sessionState.PSVariable.GetValue(SessionKeys.AWSCredentialsVariableName),
out var psCredentials))
{
credentials = psCredentials;
source = CredentialsSource.Session;
innerCredentials = credentials.Credentials; // so remaining probes are skipped
// don't set proxy and callback, use credentials.Credentials as-is
}
}
// no explicit command-level or shell instance override set, start to inspect the environment
// starting environment variables
if (innerCredentials == null)
{
try
{
var environmentCredentials = new EnvironmentVariablesAWSCredentials();
innerCredentials = environmentCredentials;
source = CredentialsSource.Environment;
name = "Environment Variables";
// no need to set proxy and callback - only basic or session credentials
}
catch
{
}
}
// get credentials from a 'default' profile?
if (innerCredentials == null && !userSpecifiedProfile)
{
if (profileChain.TryGetProfile(SettingsStore.PSDefaultSettingName, out var credentialProfile) &&
credentialProfile.CanCreateAWSCredentials)
{
innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain);
source = CredentialsSource.Profile;
name = SettingsStore.PSDefaultSettingName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
}
// get credentials from a legacy default profile name?
if (innerCredentials == null)
{
if (profileChain.TryGetProfile(SettingsStore.PSLegacyDefaultSettingName, out var credentialProfile) &&
credentialProfile.CanCreateAWSCredentials)
{
if (AWSCredentialsFactory.TryGetAWSCredentials(
credentialProfile,
profileChain,
out innerCredentials))
{
source = CredentialsSource.Profile;
name = SettingsStore.PSLegacyDefaultSettingName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
}
}
if (innerCredentials == null)
{
// try and load credentials from ECS endpoint (if the relevant environment variable is set)
// or EC2 Instance Profile as a last resort
try
{
var relativeUri =
Environment.GetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable);
var fullUri = Environment.GetEnvironmentVariable(
ECSTaskCredentials.ContainerCredentialsFullURIEnvVariable);
if (!string.IsNullOrEmpty(relativeUri) || !string.IsNullOrEmpty(fullUri))
{
innerCredentials = new ECSTaskCredentials();
source = CredentialsSource.Container;
name = "Container";
// no need to set proxy and callback
}
else
{
innerCredentials = new InstanceProfileAWSCredentials();
source = CredentialsSource.InstanceProfile;
name = "Instance Profile";
// no need to set proxy and callback
}
}
catch
{
innerCredentials = null;
}
}
if (credentials == null && innerCredentials != null)
{
credentials = new AWSPSCredentials(innerCredentials, name, source);
}
return(credentials != null);
}
private void SetupClient(ClientConfig clientConfig)
{
if (Client != null)
{
return;
}
if (clientConfig == null)
{
clientConfig = (TConfig)Activator.CreateInstance(typeof(TConfig));
}
if (string.IsNullOrEmpty(_endPoint) && clientConfig.RegionEndpoint == null && ConfigurationManager.AppSettings["AWSServiceEndpoint"] != null)
{
_endPoint = ConfigurationManager.AppSettings["AWSServiceEndpoint"];
}
if (string.IsNullOrEmpty(_accessKey) && ConfigurationManager.AppSettings["AWSAccessKey"] != null)
{
_accessKey = ConfigurationManager.AppSettings["AWSAccessKey"];
}
if (string.IsNullOrEmpty(_secret) && ConfigurationManager.AppSettings["AWSSecretKey"] != null)
{
_secret = ConfigurationManager.AppSettings["AWSSecretKey"];
}
if (!string.IsNullOrEmpty(_endPoint))
{
if (_endPoint.StartsWith("http"))
{
clientConfig.ServiceURL = _endPoint;
}
else
{
clientConfig.RegionEndpoint = RegionEndpoint.GetBySystemName(_endPoint);
}
}
if (string.IsNullOrEmpty(_accessKey))
{
try
{
if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["AWSProfileName"]) || ProfileManager.ListProfileNames().Contains("default"))
{
if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["AWSRegion"]))
{
Client = (TClient)AWSClientFactoryWrapper <TClient> .CreateServiceClient();
}
else if (clientConfig.RegionEndpoint != null || clientConfig.ServiceURL != null)
{
Client = (TClient)AWSClientFactoryWrapper <TClient> .CreateServiceClient(clientConfig);
}
}
else
{
foreach (var availableRole in InstanceProfileAWSCredentials.GetAvailableRoles())
{
LogLog.Debug(typeof(ClientWrapperBase <,>), "Role: " + availableRole);
}
Client = (TClient)AWSClientFactoryWrapper <TClient> .CreateServiceClient(clientConfig);
}
}
catch (AmazonServiceException e)
{
LogLog.Debug(typeof(ClientWrapperBase <,>), "Exception caught while creating client", e);
}
}
public void StaticStabilityWhenIMDSExperiencesAnOutageScenarioTest()
{
var currentTime = new DateTime(1997, 8, 29, 16, 20, 0);
var token = "ValidToken";
var profileMetadata = new IAMInstanceProfileMetadata
{
InstanceProfileArn = "profile_arn",
InstanceProfileId = "profile_id"
};
var validCredentialMetadata = new IAMSecurityCredentialMetadata
{
AccessKeyId = "value1",
SecretAccessKey = "secret1",
Expiration = currentTime.AddMinutes(75)
};
var expiredCredentialMetadata = new IAMSecurityCredentialMetadata
{
AccessKeyId = "expired",
SecretAccessKey = "expired",
Expiration = currentTime.Subtract(TimeSpan.FromMinutes(5))
};
var validCredentialMetadata2 = new IAMSecurityCredentialMetadata
{
AccessKeyId = "value2",
SecretAccessKey = "secret2",
Expiration = currentTime.AddHours(6)
};
using (new AWSConfigsDateFaker(() => currentTime.ToUniversalTime()))
using (var imdsServlet = new EC2InstanceMetadataServlet())
{
var instanceProfileAwsCredentials =
new InstanceProfileAWSCredentials(
// use a dummy role so InstanceProfileAWSCredentials doesn't try and call imds server to resolve role
role: "dummyRole",
proxy: null);
// EXPIRED TEST 1 & 2 - can use IMDS provider if first IMDS call returns expired creds
// Given IMDS service immediately returns an expired credential
imdsServlet.AddTokenFetchResponse(token);
imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token);
imdsServlet.AddMetadataGetSecurityCredentialsResponse(expiredCredentialMetadata, token);
// When InstanceProfileAWSCredentials returns a Credential
var expiredInitialCreds = instanceProfileAwsCredentials.GetCredentials();
// Then the Credential is valid and be used to call a Service
AssertAreEqual(expiredCredentialMetadata, expiredInitialCreds);
// REFRESH TEST 2/LOGGING TEST - Can send a request after receiving a 500
// Given 20 minutes has passed (expired credential cache time is up to 15 minutes)
currentTime += TimeSpan.FromMinutes(20);
// Given the IMDS service is running normally
imdsServlet.AddTokenFetchResponse(token);
imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token);
imdsServlet.AddMetadataGetSecurityCredentialsResponse(validCredentialMetadata, token);
// When InstanceProfileAWSCredentials returns a Credential
var initialCreds = instanceProfileAwsCredentials.GetCredentials();
// Then the Credential is valid and be used to call a Service
AssertAreEqual(validCredentialMetadata, initialCreds);
// Given 1 hour has passed (default credential cache time is 1 hour)
currentTime += TimeSpan.FromMinutes(65);
// And the IMDS service returns 5xx error
imdsServlet.AddTokenFetchResponse(token);
imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token);
imdsServlet.AddMetadataGenericResponse(contents: "", token: token, HttpStatusCode.ServiceUnavailable);
// When InstanceProfileAWSCredentials returns the previously valid Credential
var badCreds = instanceProfileAwsCredentials.GetCredentials();
// Then the Credential is the previously valid Credential and can be used to call a Service
AssertAreEqual(validCredentialMetadata, badCreds);
// And there is a log message that an expired credential is being used
// Given 90 minutes has passed (credential cache time is up to 60 minutes)
currentTime += TimeSpan.FromMinutes(90);
// And the IMDS service is running normally (again)
imdsServlet.AddTokenFetchResponse(token);
imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token);
imdsServlet.AddMetadataGetSecurityCredentialsResponse(validCredentialMetadata2, token);
// When InstanceProfileAWSCredentials returns a Credential
var goodCreds2 = instanceProfileAwsCredentials.GetCredentials();
// Then the Credential is valid and be used to call a Service
AssertAreEqual(validCredentialMetadata2, goodCreds2);
// EXPIRED TEST 3 - Can perform 3 successive requests with expired credentials. IMDS must only be called once.
// Given IMDS service immediately returns an expired credential
imdsServlet.AddTokenFetchResponse(token);
imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token);
imdsServlet.AddMetadataGetSecurityCredentialsResponse(expiredCredentialMetadata, token);
// When InstanceProfileAWSCredentials returns a Credential
var creds1 = instanceProfileAwsCredentials.GetCredentials();
// And InstanceProfileAWSCredentials returns a Credential
var creds2 = instanceProfileAwsCredentials.GetCredentials();
// And InstanceProfileAWSCredentials returns a Credential
var creds3 = instanceProfileAwsCredentials.GetCredentials();
// Then IMDS is only called once
// (imdsServlet would have thrown an exception if an additional call was made)
}
}
