public void TestNullRole() { AssertExtensions.ExpectException(() => { var creds = new InstanceProfileAWSCredentials(null); }, typeof(ArgumentNullException), "Value cannot be null." + Environment.NewLine + "Parameter name: role"); }
public void TestWhitespaceRole() { AssertExtensions.ExpectException(() => { var creds = new InstanceProfileAWSCredentials(" "); }, typeof(ArgumentException), "The argument 'role' must contain a valid role name."); }
/// <summary> /// Uses machine role permissions. /// </summary> /// <param name="_awsRegion">Aws region.</param> /// <param name="_bucket">Bucket.</param> /// <param name="_roleName">If specified will use the requested role.</param> public S3NoSqlEngine( string _awsRegion, string _dataBucket, string _indexBucket, string _database, string _roleName = null) { m_AwsRegion = _awsRegion; AWSCredentials credentials; if (_roleName == null) { credentials = new InstanceProfileAWSCredentials(); } else { credentials = new InstanceProfileAWSCredentials(_roleName); } m_S3Client = new AmazonS3Client(credentials, S3Helper.GetRegionEndpoint(m_AwsRegion)); DataBucket = _dataBucket; IndexBucket = _indexBucket; Database = _database; }
/// <exception cref="AggregateException"> /// If both InstanceProfile and EnvironmentVariable Credentials fail. /// Contains AmazonClientExceptions for both InstanceProfile and EnvironmentVariable failures</exception> /// <exception cref="AmazonClientException">If Basic (Account) Credentials fail</exception> public bool TryGetCredentials(ILog log, out AWSCredentials credentials) { credentials = null; if (Credentials.Type == "account") { try { credentials = new BasicAWSCredentials(Credentials.Account.AccessKey, Credentials.Account.SecretKey); } // Catching a generic Exception because AWS SDK throws undocumented exceptions. catch (Exception e) { log.Warn("Unable to authorise credentials, see verbose log for details."); log.Verbose($"Unable to authorise credentials for Account: {e}"); return(false); } } else { try { // If not currently running on an EC2 instance, // this will throw an exception. credentials = new InstanceProfileAWSCredentials(); } // Catching a generic Exception because AWS SDK throws undocumented exceptions. catch (Exception instanceProfileException) { try { // The last attempt is trying to use Environment Variables. credentials = new EnvironmentVariablesAWSCredentials(); } // Catching a generic Exception because AWS SDK throws undocumented exceptions. catch (Exception environmentVariablesException) { log.Warn("Unable to authorise credentials, see verbose log for details."); log.Verbose($"Unable to authorise credentials for Instance Profile: {instanceProfileException}"); log.Verbose($"Unable to authorise credentials for Environment Variables: {environmentVariablesException}"); return(false); } } } if (Role.Type == "assumeRole") { credentials = new AssumeRoleAWSCredentials(credentials, Role.Arn, Role.SessionName ?? DefaultSessionName, new AssumeRoleAWSCredentialsOptions { ExternalId = Role.ExternalId, DurationSeconds = Role.SessionDuration }); } return(true); }
public static void TestAsyncAwaitMethods() { var credentials = new InstanceProfileAWSCredentials(); //var credentials = new StoredProfileAWSCredentials("elore"); var amazonS3Client = new AmazonS3Client(credentials, RegionEndpoint.USEast1); var amazonS3Integration = new AmazonS3Integration(amazonS3Client); Console.WriteLine("OK"); Task.Run(() => amazonS3Integration.CopiarArquivo("video_profile.mp4", "conteudo-oregon-temp")); Console.ReadKey(); }
/* * Activation of this module requires an app.config file with a MySQL section, this applies to both .NET Framework and .NET Core applications * first add a new section to config sections for MySQL * <section name="MySQL" type="MySql.Data.MySqlClient.MySqlConfiguration,MySql.Data"/> * then add a MySQL section that looks like this * <MySQL> * <Replication> * <ServerGroups> * </ServerGroups> * </Replication> * <CommandInterceptors/> * <ExceptionInterceptors/> * <AuthenticationPlugins> * <add name="mysql_clear_password" type="ReportingXpress.Common.AWS.RDS.MySQLRoleAuthenticationPlugin, ReportingXpress.Common"></add> * </AuthenticationPlugins> * </MySQL> */ ///// <summary> ///// generate a new RDS authentication ticket ///// </summary> ///// <param name="serverName"></param> ///// <param name="portNumber"></param> ///// <param name="userId"></param> ///// <returns></returns> protected override ExpiringRDSTicket GetRDSAuthenticationTicket(string serverName, int portNumber, string userId) { serverName = VerifyRdsAddress(serverName); ExpiringRDSTicket returnValue = new ExpiringRDSTicket(); RegionEndpoint regionEndPoint = FallbackRegionFactory.GetRegionEndpoint(); AWSCredentials roleCredentials = new InstanceProfileAWSCredentials(); returnValue.AuthorizationTicket = RDSAuthTokenGenerator.GenerateAuthToken(roleCredentials, regionEndPoint, serverName, portNumber, userId); //tickets expire in 15 minutes, but Windows time drift is up to a minute in this case, so give it a buffer of 3 minutes returnValue.ExpiresUtc = DateTime.UtcNow.AddMinutes(14); return(returnValue); }
public static async Task <string> GetForgeKeysSSM(string SSMkey) { try { AWSCredentials awsCredentials = new InstanceProfileAWSCredentials(); GetParameterRequest parameterRequest = new GetParameterRequest() { Name = SSMkey }; AmazonSimpleSystemsManagementClient client = new AmazonSimpleSystemsManagementClient(awsCredentials, Amazon.RegionEndpoint.GetBySystemName(Environment.GetEnvironmentVariable("AWS_REGION"))); GetParameterResponse response = await client.GetParameterAsync(parameterRequest); return(response.Parameter.Value); } catch (Exception e) { throw new Exception("Cannot obtain Amazon SSM value for " + SSMkey, e); } }
public static AWSCredentials LoadFromInstance() { var store = new CredentialProfileStoreChain(); store.TryGetAWSCredentials("default", out var awsCredentials); if (awsCredentials == null && string.IsNullOrEmpty(EC2InstanceMetadata.InstanceId)) { var firstRole = InstanceProfileAWSCredentials.GetAvailableRoles().FirstOrDefault(); if (firstRole != null) { awsCredentials = new InstanceProfileAWSCredentials(firstRole); } } if (awsCredentials == null) { throw new ArgumentException($"{nameof(awsCredentials)} could not be loaded from the ~/.aws/credentials or the instance profile. Please pass explicitly."); } return(awsCredentials); }
private string GetDBConnectionString() { string connectionStr = string.Empty; string keyConnectionStr = "keyConn"; try { if (!this._memoryCache.TryGetValue(keyConnectionStr, out connectionStr)) { //if (string.IsNullOrEmpty(connectionStr)) // connectionStr = @"Data Source=kongsqldb.cugvbjkpc2us.ca-central-1.rds.amazonaws.com;Initial Catalog=awsdb;Integrated Security=false;User ID=wjkong;Password=Wj730615!"; var creds = new InstanceProfileAWSCredentials(); var ssmClient = new AmazonSimpleSystemsManagementClient(creds); var request = new GetParameterRequest() { Name = "/kongsolution/Prod/ConnectionStr", WithDecryption = true }; var response = ssmClient.GetParameterAsync(request).GetAwaiter().GetResult(); if (response.Parameter != null) { connectionStr = response.Parameter.Value; var cacheEntryOptions = new MemoryCacheEntryOptions().SetSlidingExpiration(TimeSpan.FromDays(7)); this._memoryCache.Set(keyConnectionStr, connectionStr, cacheEntryOptions); } } } catch { } return(connectionStr); }
/// <summary> /// Resolves the set of <see cref="AWSCredentials">AWS Credentials</see> based on the /// combination of credential-related parameters that are specified. /// </summary> /// <remarks> /// The order of resolution is as follows: /// <list> /// <item> /// 1. If AccessKeyId is found /// <item>a. If Session Token is found, returns Session AWS Credential</item> /// <item>b. If no Session Token, returns a Base AWS Credential</item> /// </item> /// <item> /// 2. If Profile Name is found, return a Stored Profile AWS Credential, with /// an optional, overridden Profile Location /// </item> /// <item> /// 3. If an IAM Role Name is specified, get the credentials from the local /// EC2 instance IAM Role environment; if the special name '*' is used, /// it uses the first IAM Role found in the current EC2 environment /// </item> /// <item> /// 4. Otherwise, assume credentials are specified in environment variables /// accessible to the hosting process and retrieve them from the following /// variables: /// <item><code>AWS_ACCESS_KEY_ID</code></item> /// <item><code>AWS_SECRET_ACCESS_KEY</code></item> /// <item><code></code>AWS_SESSION_TOKEN</code> (optional)</code></item> /// </item> /// </list> /// </remarks> public AWSCredentials ResolveCredentials() { AWSCredentials cr; if (!string.IsNullOrEmpty(AwsAccessKeyId)) { if (!string.IsNullOrEmpty(AwsSessionToken)) { cr = new SessionAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey, AwsSessionToken); } else { cr = new Amazon.Runtime.BasicAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey); } } else if (!string.IsNullOrEmpty(AwsProfileName)) { cr = new StoredProfileAWSCredentials(AwsProfileName, AwsProfileLocation); } else if (!string.IsNullOrEmpty(AwsIamRole)) { if (AwsIamRole == IAM_ROLE_ANY) { cr = new InstanceProfileAWSCredentials(); } else { cr = new InstanceProfileAWSCredentials(AwsIamRole); } } else { cr = new EnvironmentVariablesAWSCredentials(); } return(cr); }
public static bool TryGetCredentials( this IAWSCredentialsArguments self, PSHost psHost, out AWSPSCredentials credentials, SessionState sessionState) { if (self == null) { throw new ArgumentNullException("self"); } credentials = null; string name = null; var source = CredentialsSource.Unknown; var userSpecifiedProfile = !string.IsNullOrEmpty(self.ProfileName); var profileChain = new CredentialProfileStoreChain(self.ProfileLocation); // we probe for credentials by first checking the bound parameters to see if explicit credentials // were supplied (keys, profile name, credential object), overriding anything in the shell environment if (AWSCredentialsFactory.TryGetAWSCredentials( self.GetCredentialProfileOptions(), profileChain, out var innerCredentials)) { source = CredentialsSource.Strings; name = "Supplied Key Parameters"; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } // user gave us the profile name? if (innerCredentials == null && userSpecifiedProfile) { if (profileChain.TryGetProfile(self.ProfileName, out var credentialProfile)) { innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain); source = CredentialsSource.Profile; name = self.ProfileName; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } else { // if the user gave us an explicit profile name (and optional location) it's an error if we // don't find it as otherwise we could drop through and pick up a 'default' profile that is // for a different account return(false); } } // how about an aws credentials object? if (innerCredentials == null && self.Credential != null) { innerCredentials = self.Credential; source = CredentialsSource.CredentialsObject; name = "Credentials Object"; // don't set proxy and callback, use self.Credential as-is } // shell session variable set (this allows override of machine-wide environment variables) if (innerCredentials == null && sessionState != null) { if (TryGetAWSPSCredentialsFromConflictingType( sessionState.PSVariable.GetValue(SessionKeys.AWSCredentialsVariableName), out var psCredentials)) { credentials = psCredentials; source = CredentialsSource.Session; innerCredentials = credentials.Credentials; // so remaining probes are skipped // don't set proxy and callback, use credentials.Credentials as-is } } // no explicit command-level or shell instance override set, start to inspect the environment // starting environment variables if (innerCredentials == null) { try { var environmentCredentials = new EnvironmentVariablesAWSCredentials(); innerCredentials = environmentCredentials; source = CredentialsSource.Environment; name = "Environment Variables"; // no need to set proxy and callback - only basic or session credentials } catch { } } // get credentials from a 'default' profile? if (innerCredentials == null && !userSpecifiedProfile) { if (profileChain.TryGetProfile(SettingsStore.PSDefaultSettingName, out var credentialProfile) && credentialProfile.CanCreateAWSCredentials) { innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain); source = CredentialsSource.Profile; name = SettingsStore.PSDefaultSettingName; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } } // get credentials from a legacy default profile name? if (innerCredentials == null) { if (profileChain.TryGetProfile(SettingsStore.PSLegacyDefaultSettingName, out var credentialProfile) && credentialProfile.CanCreateAWSCredentials) { if (AWSCredentialsFactory.TryGetAWSCredentials( credentialProfile, profileChain, out innerCredentials)) { source = CredentialsSource.Profile; name = SettingsStore.PSLegacyDefaultSettingName; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } } } if (innerCredentials == null) { // try and load credentials from ECS endpoint (if the relevant environment variable is set) // or EC2 Instance Profile as a last resort try { var relativeUri = Environment.GetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable); var fullUri = Environment.GetEnvironmentVariable( ECSTaskCredentials.ContainerCredentialsFullURIEnvVariable); if (!string.IsNullOrEmpty(relativeUri) || !string.IsNullOrEmpty(fullUri)) { innerCredentials = new ECSTaskCredentials(); source = CredentialsSource.Container; name = "Container"; // no need to set proxy and callback } else { innerCredentials = new InstanceProfileAWSCredentials(); source = CredentialsSource.InstanceProfile; name = "Instance Profile"; // no need to set proxy and callback } } catch { innerCredentials = null; } } if (credentials == null && innerCredentials != null) { credentials = new AWSPSCredentials(innerCredentials, name, source); } return(credentials != null); }
private void SetupClient(ClientConfig clientConfig) { if (Client != null) { return; } if (clientConfig == null) { clientConfig = (TConfig)Activator.CreateInstance(typeof(TConfig)); } if (string.IsNullOrEmpty(_endPoint) && clientConfig.RegionEndpoint == null && ConfigurationManager.AppSettings["AWSServiceEndpoint"] != null) { _endPoint = ConfigurationManager.AppSettings["AWSServiceEndpoint"]; } if (string.IsNullOrEmpty(_accessKey) && ConfigurationManager.AppSettings["AWSAccessKey"] != null) { _accessKey = ConfigurationManager.AppSettings["AWSAccessKey"]; } if (string.IsNullOrEmpty(_secret) && ConfigurationManager.AppSettings["AWSSecretKey"] != null) { _secret = ConfigurationManager.AppSettings["AWSSecretKey"]; } if (!string.IsNullOrEmpty(_endPoint)) { if (_endPoint.StartsWith("http")) { clientConfig.ServiceURL = _endPoint; } else { clientConfig.RegionEndpoint = RegionEndpoint.GetBySystemName(_endPoint); } } if (string.IsNullOrEmpty(_accessKey)) { try { if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["AWSProfileName"]) || ProfileManager.ListProfileNames().Contains("default")) { if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["AWSRegion"])) { Client = (TClient)AWSClientFactoryWrapper <TClient> .CreateServiceClient(); } else if (clientConfig.RegionEndpoint != null || clientConfig.ServiceURL != null) { Client = (TClient)AWSClientFactoryWrapper <TClient> .CreateServiceClient(clientConfig); } } else { foreach (var availableRole in InstanceProfileAWSCredentials.GetAvailableRoles()) { LogLog.Debug(typeof(ClientWrapperBase <,>), "Role: " + availableRole); } Client = (TClient)AWSClientFactoryWrapper <TClient> .CreateServiceClient(clientConfig); } } catch (AmazonServiceException e) { LogLog.Debug(typeof(ClientWrapperBase <,>), "Exception caught while creating client", e); } }
public void StaticStabilityWhenIMDSExperiencesAnOutageScenarioTest() { var currentTime = new DateTime(1997, 8, 29, 16, 20, 0); var token = "ValidToken"; var profileMetadata = new IAMInstanceProfileMetadata { InstanceProfileArn = "profile_arn", InstanceProfileId = "profile_id" }; var validCredentialMetadata = new IAMSecurityCredentialMetadata { AccessKeyId = "value1", SecretAccessKey = "secret1", Expiration = currentTime.AddMinutes(75) }; var expiredCredentialMetadata = new IAMSecurityCredentialMetadata { AccessKeyId = "expired", SecretAccessKey = "expired", Expiration = currentTime.Subtract(TimeSpan.FromMinutes(5)) }; var validCredentialMetadata2 = new IAMSecurityCredentialMetadata { AccessKeyId = "value2", SecretAccessKey = "secret2", Expiration = currentTime.AddHours(6) }; using (new AWSConfigsDateFaker(() => currentTime.ToUniversalTime())) using (var imdsServlet = new EC2InstanceMetadataServlet()) { var instanceProfileAwsCredentials = new InstanceProfileAWSCredentials( // use a dummy role so InstanceProfileAWSCredentials doesn't try and call imds server to resolve role role: "dummyRole", proxy: null); // EXPIRED TEST 1 & 2 - can use IMDS provider if first IMDS call returns expired creds // Given IMDS service immediately returns an expired credential imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(expiredCredentialMetadata, token); // When InstanceProfileAWSCredentials returns a Credential var expiredInitialCreds = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is valid and be used to call a Service AssertAreEqual(expiredCredentialMetadata, expiredInitialCreds); // REFRESH TEST 2/LOGGING TEST - Can send a request after receiving a 500 // Given 20 minutes has passed (expired credential cache time is up to 15 minutes) currentTime += TimeSpan.FromMinutes(20); // Given the IMDS service is running normally imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(validCredentialMetadata, token); // When InstanceProfileAWSCredentials returns a Credential var initialCreds = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is valid and be used to call a Service AssertAreEqual(validCredentialMetadata, initialCreds); // Given 1 hour has passed (default credential cache time is 1 hour) currentTime += TimeSpan.FromMinutes(65); // And the IMDS service returns 5xx error imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGenericResponse(contents: "", token: token, HttpStatusCode.ServiceUnavailable); // When InstanceProfileAWSCredentials returns the previously valid Credential var badCreds = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is the previously valid Credential and can be used to call a Service AssertAreEqual(validCredentialMetadata, badCreds); // And there is a log message that an expired credential is being used // Given 90 minutes has passed (credential cache time is up to 60 minutes) currentTime += TimeSpan.FromMinutes(90); // And the IMDS service is running normally (again) imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(validCredentialMetadata2, token); // When InstanceProfileAWSCredentials returns a Credential var goodCreds2 = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is valid and be used to call a Service AssertAreEqual(validCredentialMetadata2, goodCreds2); // EXPIRED TEST 3 - Can perform 3 successive requests with expired credentials. IMDS must only be called once. // Given IMDS service immediately returns an expired credential imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(expiredCredentialMetadata, token); // When InstanceProfileAWSCredentials returns a Credential var creds1 = instanceProfileAwsCredentials.GetCredentials(); // And InstanceProfileAWSCredentials returns a Credential var creds2 = instanceProfileAwsCredentials.GetCredentials(); // And InstanceProfileAWSCredentials returns a Credential var creds3 = instanceProfileAwsCredentials.GetCredentials(); // Then IMDS is only called once // (imdsServlet would have thrown an exception if an additional call was made) } }