virtual public string PrepMode_CreateRole(AmazonIdentityManagementServiceClient iamClient, string roleName,
string policyText, string trustRelationshipText)
{
var roleArn = String.Empty;
// Use the CreateRoleRequest object to define the role. The AssumeRolePolicyDocument property should be
// set to the value of the trustRelationshipText parameter.
var createRoleRequest = new CreateRoleRequest
{
AssumeRolePolicyDocument = trustRelationshipText,
RoleName = roleName
};
roleArn = iamClient.CreateRole(createRoleRequest).Role.Arn;
// Use the PutRolePolicyRequest object to define the request. Select whatever policy name you would like.
// The PolicyDocument property is there the policy is described.
var putRolePolicyRequest = new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = String.Format("{0}_policy", roleName),
PolicyDocument = policyText
};
iamClient.PutRolePolicy(putRolePolicyRequest);
return(roleArn);
}
public async Task <IEnumerable <Policy> > PutPoliciesAsync(RoleName roleName, IEnumerable <Policy> policies)
{
var policiesAdded = new List <Policy>();
var tasks = new List <Task>();
foreach (var policy in policies)
{
tasks.Add(Task.Run(async() =>
{
GetRolePolicyResponse getRolePolicyResponse;
try
{
getRolePolicyResponse = await _client.GetPolicyAsync(new GetRolePolicyRequest
{
RoleName = roleName, PolicyName = policy.Name
});
}
catch (NoSuchEntityException)
{
getRolePolicyResponse = null;
}
if (
getRolePolicyResponse != null &&
policy.Document == Uri.UnescapeDataString(getRolePolicyResponse.PolicyDocument)
)
{
return;
}
policiesAdded.Add(policy);
var rolePolicyRequest = new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = policy.Name,
PolicyDocument = policy.Document
};
await _client.PutRolePolicyAsync(rolePolicyRequest);
}
)
);
}
Task.WaitAll(tasks.ToArray());
return(policiesAdded);
}
//Button 4 - CloudBerry
private void button4_Click(object sender, EventArgs e)
{
var oldpolicy = "";
txtOutput.Text += "Editing CB Role Policy" + "\r\n";
var client = new AmazonIdentityManagementServiceClient();
var getcurrentrequest = new GetRolePolicyRequest
{
PolicyName = "CloudBerryMBSPolicy",
RoleName = "CloudBerryMBSRole-6bba62a8-a0da-497c-b296-2fe588c64db4"
};
try
{
var getPolicyResponse = client.GetRolePolicy(getcurrentrequest);
oldpolicy = System.Net.WebUtility.UrlDecode(getPolicyResponse.PolicyDocument);
}
catch (NoSuchEntityException)
{
txtOutput.Text += "Policy does not exist." + "\r\n";
}
var newpolicy = oldpolicy.Remove(oldpolicy.Length - 3, 3);
newpolicy += ",{\"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": [ \"arn:aws:s3:::" + txtID.Text + "\"], \"Condition\": {} }, {\"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": [ \"arn:aws:s3:::" + txtID.Text + "/*\"], \"Condition\": {} } ] }";
var putrolepolicyrequest = new PutRolePolicyRequest
{
RoleName = "CloudBerryMBSRole-6bba62a8-a0da-497c-b296-2fe588c64db4",
PolicyName = "CloudBerryMBSPolicy",
PolicyDocument = newpolicy
};
try
{
var putPolicyResponse = client.PutRolePolicy(putrolepolicyrequest);
txtOutput.Text += "CloudBerry Role Policy Update - Success \r\n";
}
catch (NoSuchEntityException)
{
txtOutput.Text += "Policy does not exist." + "\r\n";
}
}
public Task <PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest request, CancellationToken cancellationToken = new CancellationToken())
{
throw new System.NotImplementedException();
}
public static void Test(string identityProvider)
{
// Login with credentials to create the role
// credentials are defined in app.config
var iamClient = new AmazonIdentityManagementServiceClient();
string providerURL = null,
providerAppIdName = null,
providerUserIdName = null,
providerAppId = null;
switch (identityProvider)
{
case "Facebook":
providerURL = "graph.facebook.com";
providerAppIdName = "app_id";
providerUserIdName = "id";
break;
case "Google":
providerURL = "accounts.google.com";
providerAppIdName = "aud";
providerUserIdName = "sub";
break;
case "Amazon":
providerURL = "www.amazon.com";
providerAppIdName = "app_id";
providerUserIdName = "user_id";
break;
}
//identity provider specific AppId is loaded from app.config (e.g)
// FacebookProviderAppId. GoogleProviderAppId, AmazonProviderAppId
providerAppId = ConfigurationManager.AppSettings[identityProvider +
"ProviderAppId"];
// Since the string is passed to String.Format, '{' & '}' has to be escaped.
// Policy document specifies who can invoke AssumeRoleWithWebIdentity
string trustPolicyTemplate = @"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Effect"": ""Allow"",
""Principal"": {{ ""Federated"": ""{1}"" }},
""Action"": ""sts:AssumeRoleWithWebIdentity"",
""Condition"": {{
""StringEquals"": {{""{1}:{2}"": ""{3}""}}
}}
}}
]
}}";
// Defines what permissions to grant when AssumeRoleWithWebIdentity is called
string accessPolicyTemplate = @"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Effect"":""Allow"",
""Action"":[""s3:GetObject"", ""s3:PutObject"", ""s3:DeleteObject""],
""Resource"": [
""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}"",
""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}/*""
]
}}
]
}}";
// Create Trust policy
CreateRoleRequest createRoleRequest = new CreateRoleRequest
{
RoleName = "federationtestrole",
AssumeRolePolicyDocument = string.Format(trustPolicyTemplate,
identityProvider,
providerURL,
providerAppIdName,
providerAppId)
};
Console.WriteLine("\nTrust Policy Document:\n{0}\n",
createRoleRequest.AssumeRolePolicyDocument);
CreateRoleResponse createRoleResponse = iamClient.CreateRole(createRoleRequest);
// Create Access policy (Permissions)
PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest
{
PolicyName = "federationtestrole-rolepolicy",
RoleName = "federationtestrole",
PolicyDocument = string.Format(accessPolicyTemplate,
identityProvider,
providerURL,
providerAppIdName,
providerAppId,
providerUserIdName)
};
Console.WriteLine("\nAccess Policy Document (Permissions):\n{0}\n",
putRolePolicyRequest.PolicyDocument);
PutRolePolicyResponse putRolePolicyResponse = iamClient.PutRolePolicy(
putRolePolicyRequest);
// Sleep for the policy to replicate
System.Threading.Thread.Sleep(5000);
AmazonS3Config config = new AmazonS3Config
{
ServiceURL = "s3.amazonaws.com",
RegionEndpoint = Amazon.RegionEndpoint.USEast1
};
Federation federationTest = new Federation();
AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = null;
switch (identityProvider)
{
case "Facebook":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingFacebook(
providerAppId,
createRoleResponse.Role.Arn);
break;
case "Google":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingGoogle(
providerAppId,
createRoleResponse.Role.Arn);
//Uncomment to perform two step process
//assumeRoleWithWebIdentityResponse =
// federationTest.GetTemporaryCredentialUsingGoogle(
// providerAppId,
// ConfigurationManager.AppSettings["GoogleProviderAppIdSecret"],
// createRoleResponse.Role.Arn);
break;
case "Amazon":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingAmazon(
ConfigurationManager.AppSettings["AmazonProviderClientId"],
createRoleResponse.Role.Arn);
break;
}
S3Test s3Test = new S3Test();
s3Test.CreateS3Bucket("federationtestbucket",
identityProvider + "/" +
assumeRoleWithWebIdentityResponse.SubjectFromWebIdentityToken,
assumeRoleWithWebIdentityResponse.Credentials, config);
DeleteRolePolicyResponse deleteRolePolicyResponse =
iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
{
PolicyName = "federationtestrole-rolepolicy",
RoleName = "federationtestrole"
});
DeleteRoleResponse deleteRoleResponse =
iamClient.DeleteRole(new DeleteRoleRequest
{
RoleName = "federationtestrole"
});
}
public Task <PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest rolePolicyRequest)
{
PutRolePolicyRequests.Add(rolePolicyRequest);
return(Task.FromResult(new PutRolePolicyResponse()));
}
public Task <PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest rolePolicyRequest)
{
return(_client.PutRolePolicyAsync(rolePolicyRequest));
}
