private static void UpdateUser(String OldUserName, String NewUserName, String NewPath)
{
if (String.IsNullOrEmpty(Token))
{
stsClient = new AmazonIdentityManagementServiceClient(AccessKeyId, SecretKey, iamconfig);
}
else
{
stsClient = new AmazonIdentityManagementServiceClient(AccessKeyId, SecretKey, Token, iamconfig);
}
UpdateUserRequest req = new UpdateUserRequest(OldUserName);
if (!String.IsNullOrEmpty(NewUserName))
{
req.NewUserName = NewUserName;
}
if (!String.IsNullOrEmpty(NewPath))
{
req.NewPath = NewPath;
}
try
{
UpdateUserResponse response = stsClient.UpdateUser(req);
Console.WriteLine("User updated");
}
catch (Exception ex)
{
Console.WriteLine("Error occured while creating user. " + ex.ToString());
}
}
public static void DetachRolePolicy()
{
var client = new AmazonIdentityManagementServiceClient();
string policy = GenerateRolePolicyDocument();
CreateRoleRequest roleRequest = new CreateRoleRequest()
{
RoleName = "tester",
AssumeRolePolicyDocument = policy
};
var request = new DetachRolePolicyRequest()
{
PolicyArn = "arn:aws:iam::123456789:policy/DemoEC2Permissions",
RoleName = "tester"
};
try
{
var response = client.DetachRolePolicy(request);
Console.WriteLine("Policy DemoEC2Permissions detached from Role 'tester'");
}
catch (NoSuchEntityException e)
{
Console.WriteLine
(e.Message);
}
catch (InvalidInputException i)
{
Console.WriteLine
(i.Message);
}
}
private Dictionary <string, string> CanCreateUser(string awsid, string awskey)
{
var dict = new Dictionary <string, string>();
var cl = new AmazonIdentityManagementServiceClient(awsid, awskey);
try
{
var user = cl.GetUser().User;
dict["isroot"] = "False"; //user.Arn.EndsWith(":root", StringComparison.Ordinal).ToString();
dict["arn"] = user.Arn;
dict["id"] = user.UserId;
dict["name"] = user.UserName;
dict["isroot"] = (cl.SimulatePrincipalPolicy(new SimulatePrincipalPolicyRequest()
{
PolicySourceArn = user.Arn, ActionNames = new[] { "iam:CreateUser" }.ToList()
}).EvaluationResults.First().EvalDecision == PolicyEvaluationDecisionType.Allowed).ToString();
}
catch (Exception ex)
{
dict["ex"] = ex.ToString();
dict["error"] = ex.Message;
}
return(dict);
}
// snippet-end:[STS.dotnetv3.AssumeRoleAsync]
// snippet-start:[IAM.dotnetv3.DeleteResourcesAsync]
/// <summary>
/// Delete the user, and other resources created for this example.
/// </summary>
/// <param name="client">The initialized client object.</param>
/// <param name=accessKeyId">The Id of the user's access key.</param>"
/// <param name="userName">The user name of the user to delete.</param>
/// <param name="policyName">The name of the policy to delete.</param>
/// <param name="policyArn">The Amazon Resource Name ARN of the Policy to delete.</param>
/// <param name="roleName">The name of the role that will be deleted.</param>
public static async Task DeleteResourcesAsync(
AmazonIdentityManagementServiceClient client,
string accessKeyId,
string userName,
string policyArn,
string roleName)
{
var detachPolicyResponse = await client.DetachRolePolicyAsync(new DetachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
var delPolicyResponse = await client.DeletePolicyAsync(new DeletePolicyRequest
{
PolicyArn = policyArn,
});
var delRoleResponse = await client.DeleteRoleAsync(new DeleteRoleRequest
{
RoleName = roleName,
});
var delAccessKey = await client.DeleteAccessKeyAsync(new DeleteAccessKeyRequest
{
AccessKeyId = accessKeyId,
UserName = userName,
});
var delUserResponse = await client.DeleteUserAsync(new DeleteUserRequest
{
UserName = userName,
});
}
/// <summary>
/// Internal method that cleans up the created user pool (along with associated client/user)
/// for testing
/// </summary>
public override void Dispose()
{
try
{
using (var client = new AmazonIdentityManagementServiceClient())
{
client.DetachRolePolicyAsync(new DetachRolePolicyRequest()
{
PolicyArn = policyArn,
RoleName = roleName
}).Wait();
client.DeletePolicyAsync(new DeletePolicyRequest()
{
PolicyArn = policyArn
}).Wait();
client.DeleteRoleAsync(new DeleteRoleRequest()
{
RoleName = roleName
}).Wait();
}
}
catch (Exception ex)
{
System.Diagnostics.Debug.WriteLine(ex.Message);
}
base.Dispose();
}
public CreateDeploymentResponse DeployToStack(
AmazonCodeDeployClient codeDeployClient,
AmazonIdentityManagementServiceClient iamClient,
AmazonAutoScalingClient autoScalingClient,
Role role)
{
var deploymentGroupName = _stackName + "_" + BundleName;
EnsureDeploymentGroupExistsForBundle(codeDeployClient, iamClient, autoScalingClient, role, deploymentGroupName);
var deploymentResponse = codeDeployClient.CreateDeployment(new CreateDeploymentRequest
{
ApplicationName = CodeDeployApplicationName,
DeploymentGroupName = deploymentGroupName,
Revision = new RevisionLocation
{
RevisionType = RevisionLocationType.S3,
S3Location = new S3Location
{
Bucket = Bucket,
Key = FileName,
BundleType = BundleType.Zip,
ETag = ETag
}
}
});
return(deploymentResponse);
}
/// <summary>
/// Create the role if it's not there already.
/// Return true if it already existed.
/// </summary>
/// <returns></returns>
private static async Task <bool> ValidateAndSetIamRoleArn(AmazonIdentityManagementServiceClient iamClient)
{
var getRoleRequest = new GetRoleRequest
{
RoleName = ExecutionRoleName
};
try
{
ExecutionRoleArn = (await iamClient.GetRoleAsync(getRoleRequest)).Role.Arn;
return(true);
}
catch (NoSuchEntityException)
{
// create the role
var createRoleRequest = new CreateRoleRequest
{
RoleName = ExecutionRoleName,
Description = "Test role for CustomRuntimeTests.",
AssumeRolePolicyDocument = LAMBDA_ASSUME_ROLE_POLICY
};
ExecutionRoleArn = (await iamClient.CreateRoleAsync(createRoleRequest)).Role.Arn;
// Wait for role to propagate.
await Task.Delay(10000);
return(false);
}
}
virtual public string PrepMode_CreateRole(AmazonIdentityManagementServiceClient iamClient, string roleName,
string policyText, string trustRelationshipText)
{
var roleArn = String.Empty;
// Use the CreateRoleRequest object to define the role. The AssumeRolePolicyDocument property should be
// set to the value of the trustRelationshipText parameter.
var createRoleRequest = new CreateRoleRequest
{
AssumeRolePolicyDocument = trustRelationshipText,
RoleName = roleName
};
roleArn = iamClient.CreateRole(createRoleRequest).Role.Arn;
// Use the PutRolePolicyRequest object to define the request. Select whatever policy name you would like.
// The PolicyDocument property is there the policy is described.
var putRolePolicyRequest = new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = String.Format("{0}_policy", roleName),
PolicyDocument = policyText
};
iamClient.PutRolePolicy(putRolePolicyRequest);
return(roleArn);
}
/// <summary>
/// Initializes an IAM Client object and then calls CreatePolicyAsync
/// to create the policy.
/// </summary>
public static async Task Main()
{
// Represents JSON code for AWS managed full access policy for
// Amazon Simple Storage Service (Amazon S3).
string s3FullAccessPolicy = "{" +
" \"Statement\" : [{"+
" \"Action\" : [\"s3:*\"],"+
" \"Effect\" : \"Allow\","+
" \"Resource\" : \"*\""+
"}]" +
"}";
string policyName = "S3FullAccess";
var client = new AmazonIdentityManagementServiceClient();
var response = await client.CreatePolicyAsync(new CreatePolicyRequest
{
PolicyDocument = s3FullAccessPolicy,
PolicyName = policyName,
});
if (response is not null)
{
var policy = response.Policy;
Console.WriteLine($"{policy.PolicyName} created with ID: {policy.PolicyId}.");
}
else
{
Console.WriteLine("Coultn't create policy.");
}
}
public async Task TestThreadingLogging()
{
// run all test cases in one test to ensure they run serially
using (var lambdaClient = new AmazonLambdaClient(TestRegion))
using (var s3Client = new AmazonS3Client(TestRegion))
using (var iamClient = new AmazonIdentityManagementServiceClient(TestRegion))
{
var roleAlreadyExisted = false;
try
{
roleAlreadyExisted = await PrepareTestResources(s3Client, lambdaClient, iamClient);
await InvokeLoggerTestController(lambdaClient);
}
catch (NoDeploymentPackageFoundException)
{
#if DEBUG
// The CodePipeline for this project doesn't currently build the deployment in the stage that runs
// this test. For now ignore this test in release mode if the deployment package can't be found.
throw;
#endif
}
finally
{
await CleanUpTestResources(s3Client, lambdaClient, iamClient, roleAlreadyExisted);
}
}
}
public static Credentials GetTemporaryCredentials(string policy)
{
var config = new AmazonSecurityTokenServiceConfig
{
RegionEndpoint = RegionEndpoint.APSoutheast2
};
var client = new AmazonSecurityTokenServiceClient(config);
var iamClient = new AmazonIdentityManagementServiceClient(
RegionEndpoint.APSoutheast2);
var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials");
var role = iamClient.GetRole(
new GetRoleRequest()
{
RoleName = iamRoleName
});
var assumeRoleRequest = new AssumeRoleRequest()
{
RoleArn = role.Role.Arn,
RoleSessionName = Guid.NewGuid().ToString().Replace("-", ""),
DurationSeconds = 900
};
if (!string.IsNullOrEmpty(policy))
{
assumeRoleRequest.Policy = policy;
}
var assumeRoleResponse =
client.AssumeRole(assumeRoleRequest);
var credentials = assumeRoleResponse.Credentials;
return(credentials);
}
/// <summary>
/// Delete the instance profile created for the sample.
/// </summary>
void DeleteInstanceProfile()
{
var roleName = "magicec2" + RESOURCDE_POSTFIX;
// AmazonIdentityManagementServiceClient
var client = new AmazonIdentityManagementServiceClient(accessKeyId, secretAccessKey, region);
client.DeleteRolePolicyAsync(new DeleteRolePolicyRequest
{
RoleName = roleName,
PolicyName = "S3Access"
});
client.RemoveRoleFromInstanceProfileAsync(new RemoveRoleFromInstanceProfileRequest
{
InstanceProfileName = roleName,
RoleName = roleName
});
client.DeleteRoleAsync(new DeleteRoleRequest
{
RoleName = roleName
});
client.DeleteInstanceProfileAsync(new DeleteInstanceProfileRequest
{
InstanceProfileName = roleName
});
}
public void SetUp()
{
_awsConfiguration = new AwsConfiguration
{
AwsEndpoint = TestConfiguration.AwsEndpoint,
Credentials = new TestSuiteCredentials()
};
_iamClient = new AmazonIdentityManagementServiceClient(
new AmazonIdentityManagementServiceConfig
{
RegionEndpoint = _awsConfiguration.AwsEndpoint,
ProxyHost = _awsConfiguration.ProxyHost,
ProxyPort = _awsConfiguration.ProxyPort
});
var user = _iamClient.CreateUser(new CreateUserRequest
{
UserName = _userName
}).User;
_roleToAssume = _iamClient.CreateRoleToAssume(user);
_awsConfiguration.RoleName = _roleToAssume.Arn;
_s3Client = new AmazonS3Client(new AmazonS3Config {
RegionEndpoint = _awsConfiguration.AwsEndpoint
});
DeletePreviousTestStack();
}
private static void UpdateAccessKey(String UAccessKeyId, String Status, String UserName = "")
{
if (String.IsNullOrEmpty(Token))
{
stsClient = new AmazonIdentityManagementServiceClient(AccessKeyId, SecretKey, iamconfig);
}
else
{
stsClient = new AmazonIdentityManagementServiceClient(AccessKeyId, SecretKey, Token, iamconfig);
}
UpdateAccessKeyRequest req = new UpdateAccessKeyRequest(UAccessKeyId, Status);
if (!String.IsNullOrEmpty(UserName))
{
req.UserName = UserName;
}
try
{
UpdateAccessKeyResponse response = stsClient.UpdateAccessKey(req);
Console.WriteLine("User updated");
}
catch (Exception ex)
{
Console.WriteLine("Error occured while creating user. " + ex.ToString());
}
}
/// <summary>
/// This method creates a new IAM user.
/// </summary>
/// <param name="client">The IAM client object.</param>
/// <param name="request">The user creation request.</param>
/// <returns>The object returned by the call to CreateUserAsync.</returns>
public static async Task <User> CreateNewUserAsync(AmazonIdentityManagementServiceClient client, CreateUserRequest request)
{
CreateUserResponse response = null;
try
{
response = await client.CreateUserAsync(request);
// Show the information about the user from the response.
Console.WriteLine("\n--------------------------------------------------------------------------------------------------------------");
Console.WriteLine($"New user: {response.User.UserName} ARN = {response.User.Arn}.");
Console.WriteLine($"{response.User.UserName} has {response.User.PermissionsBoundary}.");
}
catch (EntityAlreadyExistsException ex)
{
Console.WriteLine($"{ex.Message}");
}
if (response is not null)
{
return(response.User);
}
else
{
return(null);
}
}
public UpdateSAMLProviderResponse updateSAMLProvider(string accountId)
{
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient();;
if (accountId != "177654365656")
{
var credentials = AssumeIdentity.AssumeRole(accountId).Credentials;
string accessKey = credentials.AccessKeyId;
string secretkey = credentials.SecretAccessKey;
string sessionToken = credentials.SessionToken;
client = new AmazonIdentityManagementServiceClient(accessKey, secretkey, sessionToken);
}
UpdateSAMLProviderRequest request = new UpdateSAMLProviderRequest()
{
SAMLMetadataDocument = MetadataXML(),
SAMLProviderArn = string.Format("arn:aws:iam::{0}:saml-provider/ADFS", accountId)
};
UpdateSAMLProviderResponse response = client.UpdateSAMLProviderAsync(request).Result;
return(response);
}
public static void CleanupTestRoleAndUser(string roleName, string userName)
{
using (var iamClient = new AmazonIdentityManagementServiceClient())
{
try
{
var rolePolicies = iamClient.ListRolePolicies(new ListRolePoliciesRequest {
RoleName = roleName
}).PolicyNames;
foreach (var policy in rolePolicies)
{
iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
{
RoleName = roleName,
PolicyName = policy
});
}
iamClient.DeleteRole(new DeleteRoleRequest {
RoleName = roleName
});
}
catch (NoSuchEntityException)
{
//this is ok - only clean up if it exists
}
try
{
var userPolicies = iamClient.ListUserPolicies(new ListUserPoliciesRequest {
UserName = userName
}).PolicyNames;
foreach (var policy in userPolicies)
{
iamClient.DeleteUserPolicy(new DeleteUserPolicyRequest
{
UserName = userName,
PolicyName = policy
});
}
var accessKeys = iamClient.ListAccessKeys(new ListAccessKeysRequest {
UserName = userName
});
foreach (var accessKey in accessKeys.AccessKeyMetadata)
{
iamClient.DeleteAccessKey(new DeleteAccessKeyRequest
{
UserName = userName,
AccessKeyId = accessKey.AccessKeyId
});
}
iamClient.DeleteUser(new DeleteUserRequest {
UserName = userName
});
}
catch (NoSuchEntityException)
{
//this is ok - only clean up if it exists
}
}
}
static async Task <string> GetRoleArn(string roleName)
{
try
{
var config = new AmazonIdentityManagementServiceConfig();
config.RegionEndpoint = region;
using (var aimsc = new AmazonIdentityManagementServiceClient(config))
{
var response = await aimsc.GetRoleAsync(new GetRoleRequest
{
RoleName = roleName
});
Role role = response.Role;
return(role.Arn);
}
}
catch (NoSuchEntityException) // role was not present
{
return(null);
}
catch (AmazonIdentityManagementServiceException imsException)
{
Console.WriteLine(imsException.Message, imsException.InnerException);
throw;
}
}
/// <summary>
/// Clean up all test resources.
/// Also cleans up any resources that might be left from previous failed/interrupted tests.
/// </summary>
/// <param name="s3Client"></param>
/// <param name="lambdaClient"></param>
/// <returns></returns>
private async Task CleanUpTestResources(AmazonS3Client s3Client, AmazonLambdaClient lambdaClient,
AmazonIdentityManagementServiceClient iamClient, bool roleAlreadyExisted)
{
await DeleteFunctionIfExistsAsync(lambdaClient);
var listBucketsResponse = await s3Client.ListBucketsAsync();
foreach (var bucket in listBucketsResponse.Buckets)
{
if (bucket.BucketName.StartsWith(TestBucketRoot))
{
await DeleteDeploymentZipAndBucketAsync(s3Client, bucket.BucketName);
}
}
if (!roleAlreadyExisted)
{
try
{
var deleteRoleRequest = new DeleteRoleRequest
{
RoleName = ExecutionRoleName
};
await iamClient.DeleteRoleAsync(deleteRoleRequest);
}
catch (Exception)
{
// no problem - it's best effort
}
}
}
public JObject FunctionHandler(JObject input)
{
JObject createAccountResponseObject = JObject.FromObject(input.SelectToken("CreateAccountResponse"));
string accountId = createAccountResponseObject.SelectToken("CreateAccountStatus.AccountId").ToString();
var credentials = AssumeIdentity.AssumeRole(accountId).Credentials;
string accessKey = credentials.AccessKeyId;
string secretkey = credentials.SecretAccessKey;
string sessionToken = credentials.SessionToken;
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient(accessKey, secretkey, sessionToken);
AttachRolePolicyRequest request = new AttachRolePolicyRequest()
{
PolicyArn = "arn:aws:iam::aws:policy/AdministratorAccess",
RoleName = input.SelectToken("EventData.roleName").ToString()
};
AttachRolePolicyResponse response = client.AttachRolePolicyAsync(request).Result;
JObject outputObject = new JObject();
outputObject.Add("AttachRolePolicyResponse", JObject.FromObject(response));
outputObject.Add("CreateAccountResponse", input.SelectToken("CreateAccountResponse"));
outputObject.Add("EventData", input.SelectToken("EventData"));
return(outputObject);
}
public async Task TestAllHandlersAsync()
{
// run all test cases in one test to ensure they run serially
using (var lambdaClient = new AmazonLambdaClient(TestRegion))
using (var s3Client = new AmazonS3Client(TestRegion))
using (var iamClient = new AmazonIdentityManagementServiceClient(TestRegion))
{
var roleAlreadyExisted = false;
try
{
roleAlreadyExisted = await PrepareTestResources(s3Client, lambdaClient, iamClient);
await RunTestSuccessAsync(lambdaClient, "ToUpperAsync", "message", "ToUpperAsync-MESSAGE");
await RunTestSuccessAsync(lambdaClient, "PingAsync", "ping", "PingAsync-pong");
await RunTestSuccessAsync(lambdaClient, "HttpsWorksAsync", "", "HttpsWorksAsync-SUCCESS");
await RunTestSuccessAsync(lambdaClient, "CertificateCallbackWorksAsync", "", "CertificateCallbackWorksAsync-SUCCESS");
await RunTestSuccessAsync(lambdaClient, "NetworkingProtocolsAsync", "", "NetworkingProtocolsAsync-SUCCESS");
await RunTestSuccessAsync(lambdaClient, "HandlerEnvVarAsync", "", "HandlerEnvVarAsync-HandlerEnvVarAsync");
await RunTestExceptionAsync(lambdaClient, "AggregateExceptionUnwrappedAsync", "", "Exception", "Exception thrown from an async handler.");
await RunTestExceptionAsync(lambdaClient, "AggregateExceptionUnwrapped", "", "Exception", "Exception thrown from a synchronous handler.");
await RunTestExceptionAsync(lambdaClient, "AggregateExceptionNotUnwrappedAsync", "", "AggregateException", "AggregateException thrown from an async handler.");
await RunTestExceptionAsync(lambdaClient, "AggregateExceptionNotUnwrapped", "", "AggregateException", "AggregateException thrown from a synchronous handler.");
await RunTestExceptionAsync(lambdaClient, "TooLargeResponseBodyAsync", "", "Function.ResponseSizeTooLarge", "Response payload size (7340060 bytes) exceeded maximum allowed payload size (6291556 bytes).");
await RunTestSuccessAsync(lambdaClient, "LambdaEnvironmentAsync", "", "LambdaEnvironmentAsync-SUCCESS");
await RunTestSuccessAsync(lambdaClient, "LambdaContextBasicAsync", "", "LambdaContextBasicAsync-SUCCESS");
await RunTestSuccessAsync(lambdaClient, "GetPidDllImportAsync", "", "GetPidDllImportAsync-SUCCESS");
await RunTestSuccessAsync(lambdaClient, "GetTimezoneNameAsync", "", "GetTimezoneNameAsync-UTC");
}
finally
{
await CleanUpTestResources(s3Client, lambdaClient, iamClient, roleAlreadyExisted);
}
}
}
public static async Task Main()
{
var iamClient = new AmazonIdentityManagementServiceClient();
var s3Client = new AmazonS3Client();
// Clear the console screen before displaying any text.
Console.Clear();
// Create an IAM group.
var createGroupResponse = await CreateNewGroupAsync(iamClient, GroupName);
// Create a policy and add it to the group.
var success = await AddGroupPermissionsAsync(iamClient, createGroupResponse.Group);
// Now create a new user.
User readOnlyUser;
var userRequest = new CreateUserRequest
{
UserName = UserName,
};
readOnlyUser = await CreateNewUserAsync(iamClient, userRequest);
// Create access and secret keys for the user.
CreateAccessKeyResponse createKeyResponse = await CreateNewAccessKeyAsync(iamClient, UserName);
// Add the new user to the group.
success = await AddNewUserToGroupAsync(iamClient, readOnlyUser.UserName, createGroupResponse.Group.GroupName);
// Show that the user can access Amazon S3 by listing the buckets on
// the account.
Console.Write("Waiting for user status to be Active.");
do
{
Console.Write(" .");
}while (createKeyResponse.AccessKey.Status != StatusType.Active);
await ListBucketsAsync(createKeyResponse.AccessKey);
// Show that the user also has write access to Amazon S3 by creating
// a new bucket.
success = await CreateS3BucketAsync(createKeyResponse.AccessKey, BucketName);
if (success)
{
Console.WriteLine($"Successfully created the bucket: {BucketName}.");
}
// Delete the user, the group, and the new bucket.
await CleanUpResources(
iamClient,
s3Client,
UserName,
GroupName,
BucketName,
createKeyResponse.AccessKey.AccessKeyId);
Console.WriteLine("Press <Enter> to close the program.");
Console.ReadLine();
}
public override void Invoke(AWSCredentials creds, RegionEndpoint region, int maxItems)
{
AmazonIdentityManagementServiceConfig config = new AmazonIdentityManagementServiceConfig();
config.RegionEndpoint = region;
ConfigureClient(config);
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient(creds, config);
ListRolesResponse resp = new ListRolesResponse();
do
{
ListRolesRequest req = new ListRolesRequest
{
Marker = resp.Marker
,
MaxItems = maxItems
};
resp = client.ListRoles(req);
CheckError(resp.HttpStatusCode, "200");
foreach (var obj in resp.Roles)
{
AddObject(obj);
}
}while (!string.IsNullOrEmpty(resp.Marker));
}
public async Task <VerificationResult> VerifyContent()
{
VerificationResult verificationResult = new VerificationResult();
Credentials credentials = new Credentials();
credentials.SecretAccessKey = secretAccessKeyTextBox.Text;
credentials.AccessKeyId = accessKeyIdTextBox.Text;
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient(credentials.AccessKeyId, credentials.SecretAccessKey, Amazon.RegionEndpoint.EUWest2);
try
{
GetUserResponse response = await client.GetUserAsync();
verificationResult.IsVerified = string.IsNullOrEmpty(response.User?.UserName);
if (verificationResult.IsVerified)
{
NewVerifiedCredentials?.Invoke(this, credentials);
}
else
{
verificationResult.ErrorMessage = "Failed to verify credentials";
}
}
catch
{
verificationResult.IsVerified = false;
verificationResult.ErrorMessage = "Failed to verify credentials";
}
return(verificationResult);
}
public static void AttachRolePolicy()
{
var client = new AmazonIdentityManagementServiceClient();
string policy = GenerateRolePolicyDocument();
CreateRoleRequest roleRequest = new CreateRoleRequest()
{
RoleName = "tester",
AssumeRolePolicyDocument = policy
};
var request = new AttachRolePolicyRequest()
{
PolicyArn = "arn:aws:iam::123456789:policy/DemoEC2Permissions",
RoleName = "tester"
};
try
{
var response = client.AttachRolePolicy(request);
Console.WriteLine("Policy DemoEC2Permissions attached to Role TestUser");
}
catch (NoSuchEntityException)
{
Console.WriteLine
("Policy 'DemoEC2Permissions' does not exist");
}
catch (InvalidInputException)
{
Console.WriteLine
("One of the parameters is incorrect");
}
}
public JObject FunctionHandler(JObject input)
{
LambdaLogger.Log(JObject.FromObject(input).ToString());
string accountId = input.SelectToken("CreateAccountStatus.CreateAccountStatus.AccountId").ToString();
var credentials = AssumeIdentity.AssumeRole(accountId).Credentials;
string accessKey = credentials.AccessKeyId;
string secretkey = credentials.SecretAccessKey;
string sessionToken = credentials.SessionToken;
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient(accessKey, secretkey, sessionToken);
CreateSAMLProviderRequest request = new CreateSAMLProviderRequest()
{
Name = "ADFS",
SAMLMetadataDocument = MetadataXML()
};
CreateSAMLProviderResponse response = client.CreateSAMLProviderAsync(request).Result;
JObject outputObject = new JObject();
outputObject.Add("CreateSAMLProviderResponse", JObject.FromObject(response));
outputObject.Add("CreateAccountResponse", input.SelectToken("CreateAccountStatus"));
outputObject.Add("EventData", input.SelectToken("EventData"));
return(outputObject);
}
public static User CreateReadOnlyUser()
{
var iamClient = new AmazonIdentityManagementServiceClient();
try
{
// Create the IAM user
var readOnlyUser = iamClient.CreateUser(new CreateUserRequest
{
UserName = "******"
}).User;
// Assign the read only policy to the new user
iamClient.PutUserPolicy(new PutUserPolicyRequest
{
UserName = readOnlyUser.UserName,
PolicyName = "S3ReadOnlyAccess",
PolicyDocument = S3_READONLY_POLICY
});
return(readOnlyUser);
}
catch (EntityAlreadyExistsException e)
{
Console.WriteLine(e.Message);
var request = new GetUserRequest()
{
UserName = "******"
};
return(iamClient.GetUser(request).User);
}
}
public JObject FunctionHandler(JObject input)
{
JObject createAccountResponseObject = JObject.FromObject(input.SelectToken("CreateAccountResponse"));
string accountId = createAccountResponseObject.SelectToken("CreateAccountStatus.AccountId").ToString();
var credentials = AssumeIdentity.AssumeRole(accountId).Credentials;
string accessKey = credentials.AccessKeyId;
string secretkey = credentials.SecretAccessKey;
string sessionToken = credentials.SessionToken;
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient(accessKey, secretkey, sessionToken);
CreateRoleRequest request = new CreateRoleRequest()
{
RoleName = input.SelectToken("EventData.roleName").ToString(),
MaxSessionDuration = 43200,
AssumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"sts:AssumeRoleWithSAML\", \"Principal\": {\"Federated\": \"arn:aws:iam::" + accountId + ":saml-provider/ADFS\"}, \"Condition\": {\"StringEquals\": {\"SAML:aud\": \"https://signin.aws.amazon.com/saml\"}} } }"
};
CreateRoleResponse response = client.CreateRoleAsync(request).Result;
JObject outputObject = new JObject();
outputObject.Add("CreateAccountResponse", createAccountResponseObject);
outputObject.Add("CreateRoleResponse", JObject.FromObject(response));
outputObject.Add("EventData", input.SelectToken("EventData"));
return(outputObject);
}
private Dictionary <string, string> CreateUnprivilegedUser(string awsid, string awskey, string path)
{
var now = Library.Utility.Utility.SerializeDateTime(DateTime.Now);
var username = string.Format("duplicati-autocreated-backup-user-{0}", now);
var policyname = string.Format("duplicati-autocreated-policy-{0}", now);
var policydoc = GeneratePolicyDoc(path);
var cl = new AmazonIdentityManagementServiceClient(awsid, awskey);
var user = cl.CreateUser(new CreateUserRequest(username)).User;
cl.PutUserPolicy(new PutUserPolicyRequest(
user.UserName,
policyname,
policydoc
));
var key = cl.CreateAccessKey(new CreateAccessKeyRequest()
{
UserName = user.UserName
}).AccessKey;
var dict = new Dictionary <string, string>();
dict["accessid"] = key.AccessKeyId;
dict["secretkey"] = key.SecretAccessKey;
dict["username"] = key.UserName;
return(dict);
}
private static void ListSamlProviders()
{
if (String.IsNullOrEmpty(Token))
{
stsClient = new AmazonIdentityManagementServiceClient(AccessKeyId, SecretKey, iamconfig);
}
else
{
stsClient = new AmazonIdentityManagementServiceClient(AccessKeyId, SecretKey, Token, iamconfig);
}
ListSAMLProvidersRequest req = new ListSAMLProvidersRequest();
try
{
ListSAMLProvidersResponse response = stsClient.ListSAMLProviders(req);
foreach (SAMLProviderListEntry entry in response.SAMLProviderList)
{
Console.WriteLine("ARN: {0}, Valid Until: {1}, Create Date: {2}", entry.Arn, entry.ValidUntil, entry.CreateDate);
}
Console.WriteLine();
}
catch (Exception ex)
{
Console.WriteLine("Error occured while creating user. " + ex.ToString());
}
}
