public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole)
{
string[] role = awsRole.Split(',');
AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest();
samlRequest.SAMLAssertion = samlAssertion;
samlRequest.RoleArn = role[1];
samlRequest.PrincipalArn = role[0];
samlRequest.DurationSeconds = 3600;
AmazonSecurityTokenServiceClient sts;
AssumeRoleWithSAMLResponse samlResponse;
try {
sts = new AmazonSecurityTokenServiceClient();
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
catch
{
sts = new AmazonSecurityTokenServiceClient("a", "b", "c");
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(
samlResponse.Credentials.AccessKeyId,
samlResponse.Credentials.SecretAccessKey,
samlResponse.Credentials.SessionToken);
return(sessionCredentials);
}
public static async Task <SessionAWSCredentials> GetTemporaryFederatedCredentialsAsync(string bucketName)
{
var config = new AmazonSecurityTokenServiceConfig();
var stsClient = new AmazonSecurityTokenServiceClient(config);
var federationTokenRequest = new GetFederationTokenRequest();
federationTokenRequest.DurationSeconds = 7200;
federationTokenRequest.Name = "User1";
federationTokenRequest.Policy = @"{
""Statement"":
[
{
""Sid"":""Stmt1311212314284"",
""Action"":[""s3:ListBucket""],
""Effect"":""Allow"",
""Resource"":""arn:aws:s3:::" + bucketName + @"""
}
]
}
";
GetFederationTokenResponse federationTokenResponse =
await stsClient.GetFederationTokenAsync(federationTokenRequest);
Credentials credentials = federationTokenResponse.Credentials;
var sessionCredentials = new SessionAWSCredentials(
credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
return(sessionCredentials);
}
public async Task CreateWithRoleArn_CreatesClientWithCredentials()
{
var roleArn = "test arn";
var instance = CreateInstance();
var credentials = new SessionAWSCredentials("key", "secret", "token");
StsClient.AssumeRoleAsync(Arg.Any <AssumeRoleRequest>()).Returns(new AssumeRoleResponse
{
Credentials = new Credentials
{
AccessKeyId = credentials.GetCredentials().AccessKey,
SecretAccessKey = credentials.GetCredentials().SecretKey,
SessionToken = credentials.GetCredentials().Token,
}
});
var result = await instance.Create(roleArn);
await StsFactory.Received().Create();
await StsClient.Received().AssumeRoleAsync(
Arg.Is <AssumeRoleRequest>(req => req.RoleArn == roleArn && req.RoleSessionName != null)
);
TestUtils.AssertClientHasCredentials((AmazonServiceClient)result, credentials);
}
public void SignRequest_should_apply_signature_to_request_right_culture()
{
Thread.CurrentThread.CurrentCulture = new CultureInfo("th");
var creds = new SessionAWSCredentials("ExampleKey", "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", "token1")
.GetCredentials();
SignV4Util.SignRequest(_sampleRequest, _sampleBody, creds, "us-east-1", "iam");
var amzDateValue = _sampleRequest.Headers.XAmzDate;
Assert.False(String.IsNullOrEmpty(amzDateValue));
var amzDates = amzDateValue.Split(',');
Assert.AreEqual(2, amzDates.Length);
Assert.True(amzDates[1].StartsWith(DateTime.UtcNow.Year.ToString()));
Trace.WriteLine("X-Amz-Date: " + amzDateValue);
var auth = _sampleRequest.Headers.Authorization;
Assert.False(String.IsNullOrEmpty(auth));
Trace.WriteLine("Authorize: " + auth);
var token = _sampleRequest.Headers.XAmzSecurityToken;
Assert.False(String.IsNullOrEmpty(token));
Trace.WriteLine("Token: " + token);
}
internal async Task <string> PutPreFillData <T>(T preFillData, PreFillMeta preFillMeta)
{
RegionEndpoint regionEndpoint = RegionEndpoint.GetBySystemName(preFillMeta.s3.region);
SessionAWSCredentials sessionAWSCredentials = new SessionAWSCredentials(
preFillMeta.credentials.AccessKeyId,
preFillMeta.credentials.SecretAccessKey,
preFillMeta.credentials.SessionToken
);
AmazonS3Client amazonS3Client = new AmazonS3Client(sessionAWSCredentials, regionEndpoint);
PutObjectRequest request = new PutObjectRequest
{
BucketName = preFillMeta.s3.bucket,
Key = preFillMeta.s3.key,
ContentBody = JsonConvert.SerializeObject(preFillData),
ContentType = "application/json",
CannedACL = S3CannedACL.Private,
ServerSideEncryptionMethod = ServerSideEncryptionMethod.AES256,
};
await amazonS3Client.PutObjectAsync(request);
return(preFillMeta.preFillFormDataId);
}
private void CreateClient()
{
if (this.service.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
this.service.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
{
// Local DynamoDB instance (for testing)
var credentials = new BasicAWSCredentials("dummy", "dummyKey");
this.ddbClient = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig {
ServiceURL = this.service
});
}
else if (!string.IsNullOrEmpty(this.accessKey) && !string.IsNullOrEmpty(this.secretKey) && !string.IsNullOrEmpty(this.token))
{
// AWS DynamoDB instance (auth via explicit credentials and token)
var credentials = new SessionAWSCredentials(this.accessKey, this.secretKey, this.token);
this.ddbClient = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig {
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
else if (!string.IsNullOrEmpty(this.accessKey) && !string.IsNullOrEmpty(this.secretKey))
{
// AWS DynamoDB instance (auth via explicit credentials)
var credentials = new BasicAWSCredentials(this.accessKey, this.secretKey);
this.ddbClient = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig {
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
else
{
// AWS DynamoDB instance (implicit auth - EC2 IAM Roles etc)
this.ddbClient = new AmazonDynamoDBClient(new AmazonDynamoDBConfig {
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
}
public FilesRepository(IAmazonS3 s3Client,
IOptions <SessionAwsCredentialsOptions> sessionAwsCredentialsOptions)
{
var env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
_sessionAwsCredentialsOptions = sessionAwsCredentialsOptions.Value;
if (env.Contains("Local"))
{
// TODO: we must improve this client initialization, this code commented is just to test in the local environment. create a temporal session to test locally, use SSO temporal keys, update these keys in app settings
SessionAWSCredentials tempCredentials = new SessionAWSCredentials(_sessionAwsCredentialsOptions.AwsAccessKeyId,
_sessionAwsCredentialsOptions.AwsSecretAccessKey,
_sessionAwsCredentialsOptions.Token);
_s3Client = new AmazonS3Client(tempCredentials, RegionEndpoint.APSoutheast1);
}
else
{
// TODO: example using IAM keys
// IAM
//var credentials = new BasicAWSCredentials(_sessionAwsCredentialsOptions.AwsAccessKeyId, _sessionAwsCredentialsOptions.AwsSecretAccessKey);
//_s3Client = new AmazonS3Client(RegionEndpoint.APSoutheast1);
// TODO: using IAM role, deployed to development, staging or production
_s3Client = s3Client;
}
}
/// <summary>
/// Lists the objects in an Amazon S3 bucket using temporary federated
/// credentials.
/// </summary>
/// <param name="bucketRegion">The AWS Region where the S3 bucket is
/// located.</param>
/// <param name="bucketName">The name of the S3 bucket whose objects we
/// will list.</param>
public static async Task ListObjectsAsync(RegionEndpoint bucketRegion, string bucketName)
{
try
{
Console.WriteLine("Listing objects stored in a bucket");
// Credentials use the default AWS SDK for .NET credential search chain.
// On local development machines, this is your default profile.
SessionAWSCredentials tempCredentials =
await GetTemporaryFederatedCredentialsAsync(bucketName);
// Create a client by providing temporary security credentials.
using var client = new AmazonS3Client(bucketRegion);
ListObjectsRequest listObjectRequest = new ();
listObjectRequest.BucketName = bucketName;
ListObjectsResponse response = await client.ListObjectsAsync(listObjectRequest);
List <S3Object> objects = response.S3Objects;
Console.WriteLine($"Object count = {objects.Count}", objects.Count);
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
catch (AmazonS3Exception e)
{
Console.WriteLine($"Error: {e.Message}");
}
}
/// <summary>
/// Uses temporary credentials to list the objects in an Amazon S3
/// bucket.
/// </summary>
/// <param name="credentials">Temporary AWS Credentials.</param>
/// <param name="bucketRegion">The Region where the bucket is located.</param>
/// <param name="bucketName">The name of the bucket to access.</param>
public static async Task ListObjectsAsync(SessionAWSCredentials credentials, RegionEndpoint bucketRegion, string bucketName)
{
try
{
// Credentials use the default AWS SDK for .NET credential search chain.
// On local development machines, this is your default profile.
Console.WriteLine("Listing objects stored in a bucket");
// Create a client by providing temporary security credentials.
using var client = new AmazonS3Client(credentials, bucketRegion);
var listObjectRequest = new ListObjectsRequest
{
BucketName = bucketName,
};
// Send request to Amazon S3.
ListObjectsResponse response = await client.ListObjectsAsync(listObjectRequest);
List <S3Object> objects = response.S3Objects;
Console.WriteLine("Object count = {0}", objects.Count);
}
catch (AmazonS3Exception s3Exception)
{
Console.WriteLine(s3Exception.Message, s3Exception.InnerException);
}
catch (AmazonSecurityTokenServiceException stsException)
{
Console.WriteLine(stsException.Message, stsException.InnerException);
}
}
public AWSCredentials GetCredential()
{
AWSCredentials credentials = null;
if (Profile.IsNotNullOrEmpty())
{
credentials = GetCredentialsFromProfile();
}
else
{
if (AccessKey.IsNotNullOrEmpty() || SecretKey.IsNotNullOrEmpty())
{
if (SessionToken.IsNullOrEmpty())
{
credentials = new BasicAWSCredentials(AccessKey, SecretKey);
}
else
{
credentials = new SessionAWSCredentials(AccessKey, SecretKey, SessionToken);
}
}
}
if (RoleArn.IsNotNullOrEmpty())
{
credentials = AssumeRole(credentials);
}
return(credentials);
}
private static async Task ListObjectsAsync()
{
try
{
Console.WriteLine("Listing objects stored in a bucket");
// Credentials use the default AWS SDK for .NET credential search chain.
// On local development machines, this is your default profile.
SessionAWSCredentials tempCredentials =
await GetTemporaryFederatedCredentialsAsync();
// Create a client by providing temporary security credentials.
using (client = new AmazonS3Client(bucketRegion))
{
ListObjectsRequest listObjectRequest = new ListObjectsRequest();
listObjectRequest.BucketName = bucketName;
ListObjectsResponse response = await client.ListObjectsAsync(listObjectRequest);
List <S3Object> objects = response.S3Objects;
Console.WriteLine("Object count = {0}", objects.Count);
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
}
catch (AmazonS3Exception e)
{
Console.WriteLine("Error encountered ***. Message:'{0}' when writing an object", e.Message);
}
catch (Exception e)
{
Console.WriteLine("Unknown encountered on server. Message:'{0}' when writing an object", e.Message);
}
}
public static AmazonS3Client GetApi(AccountConfiguration account)
{
AWSCredentials credentials;
if (account.AdditionalSettings != null && account.AdditionalSettings.ContainsKey("UseSessionToken") && Convert.ToBoolean(account.AdditionalSettings["UseSessionToken"]) == true && account.AdditionalSettings.ContainsKey("SessionToken"))
{
credentials = new SessionAWSCredentials(account.Id, account.Secret, account.AdditionalSettings["SessionToken"]);
}
else
{
credentials = new BasicAWSCredentials(account.Id, account.Secret);
}
var region = RegionEndpoint.USWest1;
if (account.AdditionalSettings != null && account.AdditionalSettings.ContainsKey("AWSRegion"))
{
var regionName = account.AdditionalSettings["AWSRegion"];
region = RegionEndpoint.GetBySystemName(regionName);
}
var api = GetApi(credentials, region);
return(api);
}
public async Task UploadFileToS3Async(S3Credentials sc, IFormFile f)
{
RegionEndpoint bucketRegion = RegionEndpoint.USEast1;
var sessionCredentials =
new SessionAWSCredentials(sc.AccessKeyId,
sc.SecretAccessKey,
sc.SessionToken);
IAmazonS3 s3Client = new AmazonS3Client(sessionCredentials, bucketRegion);
try
{
var fileTransferUtility =
new TransferUtility(s3Client);
await fileTransferUtility.UploadAsync(f.OpenReadStream(),
sc.Bucket, sc.Key);
Console.WriteLine("Upload 3 completed");
}
catch (AmazonS3Exception e)
{
Console.WriteLine("Error encountered on server. Message:'{0}' when writing an object", e.Message);
}
catch (Exception e)
{
Console.WriteLine("Unknown encountered on server. Message:'{0}' when writing an object", e.Message);
}
}
private async Task <FormSubmission <T> > GetFormSubmission <T>(FormSubmissionRetrievalConfiguration formRetrievalData)
{
if (formRetrievalData == null || formRetrievalData.s3 == null || formRetrievalData.credentials == null)
{
throw new Exception("Could not create credentials to retrieve form submission data");
}
RegionEndpoint regionEndpoint = RegionEndpoint.GetBySystemName(formRetrievalData.s3.region);
SessionAWSCredentials sessionAWSCredentials = new SessionAWSCredentials(
formRetrievalData.credentials.AccessKeyId,
formRetrievalData.credentials.SecretAccessKey,
formRetrievalData.credentials.SessionToken
);
AmazonS3Client amazonS3Client = new AmazonS3Client(sessionAWSCredentials, regionEndpoint);
string responseBody = "";
using (GetObjectResponse response = await amazonS3Client.GetObjectAsync(formRetrievalData.s3.bucket, formRetrievalData.s3.key, null))
using (Stream responseStream = response.ResponseStream)
using (StreamReader reader = new StreamReader(responseStream))
{
responseBody = reader.ReadToEnd();
}
return(JsonConvert.DeserializeObject <FormSubmission <T> >(responseBody));
}
public async Task <List <S3Object> > GetAllObjectFromS3(string bucketName)
{
try
{
SessionAWSCredentials tempCredentials = _sessionCredential;
// Create client by providing temporary security credentials.
using (client = new AmazonS3Client(tempCredentials, Amazon.RegionEndpoint.APSoutheast2))
{
ListObjectsRequest listObjectRequest =
new ListObjectsRequest {
BucketName = bucketName
};
// Send request to Amazon S3.
ListObjectsResponse response = await client.ListObjectsAsync(listObjectRequest);
List <S3Object> objects = response.S3Objects;
return(objects);
}
}
catch (AmazonS3Exception s3Exception)
{
Console.WriteLine(s3Exception.Message,
s3Exception.InnerException);
}
catch (AmazonSecurityTokenServiceException stsException)
{
Console.WriteLine(stsException.Message,
stsException.InnerException);
}
throw new Exception("Can not list object from Amazone S3 Bucket");
}
async static Task <List <SendDataPoint> > GetSesStatsForAccount(string Account)
{
string strRoleARN = "arn:aws:iam::" + Account + ":role/" + AssumedRoleName;
Amazon.SecurityToken.AmazonSecurityTokenServiceClient stsClient = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient();
var assumeRoleResponse = await stsClient.AssumeRoleAsync(new Amazon.SecurityToken.Model.AssumeRoleRequest {
RoleArn = strRoleARN, RoleSessionName = "TempSession"
});
SessionAWSCredentials sessionCredentials =
new SessionAWSCredentials(assumeRoleResponse.Credentials.AccessKeyId,
assumeRoleResponse.Credentials.SecretAccessKey,
assumeRoleResponse.Credentials.SessionToken);
var regions = new Amazon.RegionEndpoint[] { Amazon.RegionEndpoint.USEast1, Amazon.RegionEndpoint.USWest2, Amazon.RegionEndpoint.EUWest1 };
List <SendDataPoint> lst = new List <SendDataPoint>();
foreach (var region in regions)
{
Console.WriteLine($"Checking {region.ToString()} for account {Account}");
AmazonSimpleEmailServiceClient sesClient = new AmazonSimpleEmailServiceClient(sessionCredentials, region);
var response = await sesClient.GetSendStatisticsAsync();
lst.AddRange(response.SendDataPoints);
}
return(lst);
}
public void TestAssumeRole()
{
var clientId = Guid.NewGuid();
var roleArn = _role.Arn;
const string sessionName = "NetUser";
// sleep for IAM data to propagate
Thread.Sleep(TimeSpan.FromSeconds(10));
var sts = new AmazonSecurityTokenServiceClient(_userCredentials);
Thread.Sleep(TimeSpan.FromSeconds(60));
var result = sts.AssumeRole(new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = sessionName,
DurationSeconds = 3600,
ExternalId = clientId.ToString()
});
var credentials = result.Credentials;
var sessionCredentials = new SessionAWSCredentials(credentials.AccessKeyId, credentials.SecretAccessKey, credentials.SessionToken);
var client = new AmazonIdentityManagementServiceClient(sessionCredentials);
var response = client.ListRoles();
Assert.IsNotNull(response);
client = new AmazonIdentityManagementServiceClient(credentials);
response = client.ListRoles();
Assert.IsNotNull(response);
}
private async Task EC2Instance(AssetScanCompletedEvent request)
{
IAmazonSecurityTokenService STSClient = new AmazonSecurityTokenServiceClient("AKIAXMJHA33LOQPJKCXO", "t1EvatLh4zIl7cBNyGR8rEE2k1vgKOiiDu6wg8IT", RegionEndpoint.USEast2);
using (var client = STSClient)
{
GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest()
{
DurationSeconds = 900
};
GetSessionTokenResponse tokenResponse = await client.GetSessionTokenAsync(getSessionTokenRequest);
//Console.WriteLine("SecretAccessKey: "+tokenResponse.Credentials.SecretAccessKey+" \n AccessKeyId: "+tokenResponse.Credentials.AccessKeyId+"\n SessionToken: "+tokenResponse.Credentials.SessionToken+" \n Expiration: "+tokenResponse.Credentials.Expiration);
var response = STSClient.AssumeRoleAsync(new AssumeRoleRequest
{
RoleArn = "arn:aws:iam::507424857814:role/DemoEC2",
RoleSessionName = "EC2User",
DurationSeconds = 900
});
var tempCredentials = new SessionAWSCredentials
(
response.Result.Credentials.AccessKeyId,
response.Result.Credentials.SecretAccessKey,
response.Result.Credentials.SessionToken
);
// var test= new BasicAWSCredentials("AKIAXMJHA33LOQPJKCXO","t1EvatLh4zIl7cBNyGR8rEE2k1vgKOiiDu6wg8IT");
//Console.WriteLine("SecretAccessKey: " + response.Result.Credentials.SecretAccessKey + " \n AccessKey: " + response.Result.Credentials.AccessKeyId + " \n SessionToken: " + response.Result.Credentials.SessionToken + " \n Expiration: " + response.Result.Credentials.Expiration);
//await Task.Delay(900500);
//Console.WriteLine("Afetr 15 minute .......");
IAmazonEC2 ec2 = new AmazonEC2Client(tempCredentials, Amazon.RegionEndpoint.USEast2);
//Amazon.Util.EC2InstanceMetadata.Hostname;
// list of Instance
var result = await ec2.DescribeInstancesAsync();
// Console.WriteLine("\n List of Instance");
foreach (var reservation in result.Reservations)
{
foreach (var instance in reservation.Instances)
{
_logger.LogInformation("EC2 for instance ID {0} {1} {2}", request.ScanID, instance.InstanceId, instance.InstanceType);
//Console.WriteLine(instance.InstanceId);
}
}
//Console.WriteLine("\n Get by InstanceID");
//var response2 = ec2.DescribeInstancesAsync(new DescribeInstancesRequest
//{
// InstanceIds = new List<string>
// {
// "i-0e76148b03298009a"
// }
//});
//Console.WriteLine(response2.Result.HttpStatusCode);
}
}
public AWSStepFunctionsAPI(SessionAWSCredentials sessionAWSCredentials)
{
this.sessionAWSCredentials = sessionAWSCredentials;
var credentials = sessionAWSCredentials.GetCredentials();
basicAWSCredentials = new BasicAWSCredentials(credentials.AccessKey, credentials.SecretKey);
amazonStepFunctionsClient = new AmazonStepFunctionsClient(sessionAWSCredentials);
}
public AWSLambdaAPI(SessionAWSCredentials sessionAWSCredentials)
{
this.sessionAWSCredentials = sessionAWSCredentials;
var credentials = sessionAWSCredentials.GetCredentials();
basicAWSCredentials = new BasicAWSCredentials(credentials.AccessKey, credentials.SecretKey);
amazonLambdaClient = new AmazonLambdaClient(sessionAWSCredentials);
}
/// <summary>
/// provide support for resolving AthenaAPI from AWS environment
/// </summary>
/// <param name="sessionAWSCredentials"></param>
public AWSAthenaAPI(SessionAWSCredentials sessionAWSCredentials)
{
this.sessionAWSCredentials = sessionAWSCredentials;
var credentials = sessionAWSCredentials.GetCredentials();
basicAWSCredentials = new BasicAWSCredentials(credentials.AccessKey, credentials.SecretKey);
amazonAthenaClient = new AmazonAthenaClient(sessionAWSCredentials);
DefaultOutputLocation = Environment.GetEnvironmentVariable("AWSAthenaDefaultOutputLocation");
}
protected virtual IAwsClientFactory CreateClientFactory()
{
var credentials = new SessionAWSCredentials(AccessKeyId, SecretAccessKey, SessionToken);
return(new DefaultAwsClientFactory(credentials)
{
ServiceUri = ServiceUri
});
}
private async Task TestConnection()
{
if (this.TestResult != null)
{
return;
}
m_lblTestResult.Visible = true;
if (string.IsNullOrEmpty(this.AccessKey) || string.IsNullOrEmpty(this.SecretKey))
{
m_lblTestResult.Text = "Please enter Access Key and Secret Key";
return;
}
if (m_chkUseSessionToken.Checked == true && string.IsNullOrEmpty(this.SessionToken))
{
m_lblTestResult.Text = "Please enter Session Token";
return;
}
this.Enabled = false;
m_lblTestResult.Text = "Testing Connection...";
this.TestResult = null;
AWSCredentials credentials;
if (m_chkUseSessionToken.Checked == false)
{
credentials = new BasicAWSCredentials(this.AccessKey, this.SecretKey);
}
else
{
credentials = new SessionAWSCredentials(this.AccessKey, this.SecretKey, this.SessionToken);
}
try
{
using (var api = AmazonS3Helper.GetApi(credentials, this.AWSRegion))
{
var buckets = await api.ListBucketsAsync();
m_lblTestResult.Text = "Connection succeeded.";
this.TestResult = true;
}
}
catch (Exception ex)
{
m_lblTestResult.Text = "Connection failed!";
this.TestResult = false;
}
finally
{
this.Enabled = true;
}
}
public RavenAwsGlacierClient(GlacierSettings glacierSettings, Config.Categories.BackupConfiguration configuration, Progress progress = null, CancellationToken cancellationToken = default)
{
if (glacierSettings == null)
{
throw new ArgumentNullException(nameof(glacierSettings));
}
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
if (string.IsNullOrWhiteSpace(glacierSettings.AwsAccessKey))
{
throw new ArgumentException("AWS Access Key cannot be null or empty");
}
if (string.IsNullOrWhiteSpace(glacierSettings.AwsSecretKey))
{
throw new ArgumentException("AWS Secret Key cannot be null or empty");
}
if (string.IsNullOrWhiteSpace(glacierSettings.VaultName))
{
throw new ArgumentException("AWS Vault Name cannot be null or empty");
}
if (string.IsNullOrWhiteSpace(glacierSettings.AwsRegionName))
{
throw new ArgumentException("AWS Region Name cannot be null or empty");
}
var region = RegionEndpoint.GetBySystemName(glacierSettings.AwsRegionName);
AWSCredentials credentials;
if (string.IsNullOrWhiteSpace(glacierSettings.AwsSessionToken))
{
credentials = new BasicAWSCredentials(glacierSettings.AwsAccessKey, glacierSettings.AwsSecretKey);
}
else
{
credentials = new SessionAWSCredentials(glacierSettings.AwsAccessKey, glacierSettings.AwsSecretKey, glacierSettings.AwsSessionToken);
}
_client = new AmazonGlacierClient(credentials, new AmazonGlacierConfig
{
RegionEndpoint = region,
Timeout = configuration.CloudStorageOperationTimeout.AsTimeSpan
});
_region = glacierSettings.AwsRegionName;
_vaultName = glacierSettings.VaultName;
_progress = progress;
_cancellationToken = cancellationToken;
}
private void CreateClient()
{
if (this.service.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
this.service.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
{
// Local DynamoDB instance (for testing)
var credentials = new BasicAWSCredentials("dummy", "dummyKey");
this.ddbClient = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig {
ServiceURL = this.service
});
}
else if (!string.IsNullOrEmpty(this.accessKey) && !string.IsNullOrEmpty(this.secretKey) && !string.IsNullOrEmpty(this.token))
{
// AWS DynamoDB instance (auth via explicit credentials and token)
var credentials = new SessionAWSCredentials(this.accessKey, this.secretKey, this.token);
this.ddbClient = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig {
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
else if (!string.IsNullOrEmpty(this.accessKey) && !string.IsNullOrEmpty(this.secretKey))
{
// AWS DynamoDB instance (auth via explicit credentials)
var credentials = new BasicAWSCredentials(this.accessKey, this.secretKey);
this.ddbClient = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig {
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
else if (!string.IsNullOrEmpty(this.profileName))
{
// AWS DynamoDB instance (auth via explicit credentials and token found in a named profile)
var chain = new CredentialProfileStoreChain();
if (chain.TryGetAWSCredentials(this.profileName, out var credentials))
{
this.ddbClient = new AmazonDynamoDBClient(
credentials,
new AmazonDynamoDBConfig
{
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
else
{
throw new InvalidOperationException(
$"AWS named profile '{this.profileName}' provided, but credentials could not be retrieved");
}
}
else
{
// AWS DynamoDB instance (implicit auth - EC2 IAM Roles etc)
this.ddbClient = new AmazonDynamoDBClient(new AmazonDynamoDBConfig {
RegionEndpoint = AWSUtils.GetRegionEndpoint(this.service)
});
}
}
virtual public AmazonS3Client AppMode_CreateS3Client(Credentials credentials, RegionEndpoint regionEndpoint)
{
AmazonS3Client s3Client;
var sessionCredentials = new SessionAWSCredentials(
credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
s3Client = new AmazonS3Client(sessionCredentials, regionEndpoint);
return(s3Client);
}
protected virtual async Task <SessionAWSCredentials> GetTemporaryFederatedCredentialsAsync(
AwsBlobProviderConfiguration configuration)
{
Check.NotNullOrWhiteSpace(configuration.Name, nameof(configuration.Name));
Check.NotNullOrWhiteSpace(configuration.Policy, nameof(configuration.Policy));
var temporaryCredentialsCache = await Cache.GetAsync(configuration.TemporaryCredentialsCacheKey);
if (temporaryCredentialsCache == null)
{
AmazonSecurityTokenServiceClient stsClient;
if (!configuration.AccessKeyId.IsNullOrEmpty() && !configuration.SecretAccessKey.IsNullOrEmpty())
{
stsClient = new AmazonSecurityTokenServiceClient(configuration.AccessKeyId,
configuration.SecretAccessKey);
}
else
{
var awsCredentials = GetAwsCredentials(configuration);
stsClient = awsCredentials == null
? new AmazonSecurityTokenServiceClient()
: new AmazonSecurityTokenServiceClient(awsCredentials);
}
using (stsClient)
{
var federationTokenRequest =
new GetFederationTokenRequest
{
DurationSeconds = configuration.DurationSeconds,
Name = configuration.Name,
Policy = configuration.Policy
};
var federationTokenResponse =
await stsClient.GetFederationTokenAsync(federationTokenRequest);
var credentials = federationTokenResponse.Credentials;
temporaryCredentialsCache =
await SetTemporaryCredentialsCache(configuration, credentials);
}
}
var sessionCredentials = new SessionAWSCredentials(
StringEncryptionService.Decrypt(temporaryCredentialsCache.AccessKeyId),
StringEncryptionService.Decrypt(temporaryCredentialsCache.SecretAccessKey),
StringEncryptionService.Decrypt(temporaryCredentialsCache.SessionToken));
return(sessionCredentials);
}
virtual public bool AppMode_TestSnsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
try
{
var snsClient = new AmazonSimpleNotificationServiceClient(credentials, regionEndpoint);
snsClient.ListTopics(new ListTopicsRequest());
return(true);
}
catch
{
return(false);
}
}
virtual public bool AppMode_TestSqsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
try
{
var sqsClient = new AmazonSQSClient(credentials, regionEndpoint);
sqsClient.ListQueues(new ListQueuesRequest());
return(true);
}
catch
{
return(false);
}
}
virtual public bool AppMode_TestIamAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
try
{
var iamClient = new AmazonIdentityManagementServiceClient(credentials, regionEndpoint);
iamClient.ListUsers(new ListUsersRequest());
return(true);
}
catch
{
return(false);
}
}
