public void TestAssumeRoleProfile(string roleExternalId, string credentialsExternalId, string mfaSerialNumber, Func <string> mfaTokenCallback, bool expectFailure, bool sessionCredsAsSource) { try { // clean up at start in case a test dies in the middle of clean up and is restarted IAMTestUtil.CleanupTestRoleAndUser(TestRoleName, TestUserName); var roleArn = "arn:aws:iam::" + UtilityMethods.AccountId + ":role/" + TestRoleName; var newCredentials = IAMTestUtil.CreateTestRoleAndUser(TestRoleName, TestUserName, roleExternalId); var sourceCredentials = sessionCredsAsSource ? GetSessionCredentials(newCredentials) : newCredentials; var options = new AssumeRoleAWSCredentialsOptions() { ExternalId = credentialsExternalId, MfaSerialNumber = mfaSerialNumber, MfaTokenCodeCallback = mfaTokenCallback }; var assumeRoleCredentials = new AssumeRoleAWSCredentials(sourceCredentials, roleArn, TestRoleName, options); TestCredentials(assumeRoleCredentials, expectFailure); } finally { IAMTestUtil.CleanupTestRoleAndUser(TestRoleName, TestUserName); } }
private void AssertAssumeRoleCredentialsAreEqual(AssumeRoleAWSCredentials expected, AWSCredentials actualAWSCredentials) { var actual = actualAWSCredentials as AssumeRoleAWSCredentials; Assert.IsNotNull(actual); // can't do AreEqual because this contains DateTime.UtcNow.Ticks Assert.IsTrue(actual.RoleSessionName.StartsWith("aws-dotnet-sdk-session-")); Assert.AreEqual(expected.RoleArn, actual.RoleArn); Assert.AreEqual(expected.PreemptExpiryTime, actual.PreemptExpiryTime); if (expected.SourceCredentials is AssumeRoleAWSCredentials && actual.SourceCredentials is AssumeRoleAWSCredentials) { AssertAssumeRoleCredentialsAreEqual(expected.SourceCredentials as AssumeRoleAWSCredentials, actual.SourceCredentials); } else if (expected.SourceCredentials is FederatedAWSCredentials && actual.SourceCredentials is FederatedAWSCredentials) { AssertFederatedCredentialsAreEqual(expected.SourceCredentials as FederatedAWSCredentials, actual.SourceCredentials); } else { Assert.AreEqual(expected.SourceCredentials, actual.SourceCredentials); } Assert.AreEqual(expected.Options.DurationSeconds, actual.Options.DurationSeconds); Assert.AreEqual(expected.Options.ExternalId, actual.Options.ExternalId); Assert.AreEqual(expected.Options.MfaSerialNumber, actual.Options.MfaSerialNumber); Assert.AreEqual(expected.Options.MfaTokenCodeCallback, actual.Options.MfaTokenCodeCallback); Assert.AreEqual(expected.Options.Policy, actual.Options.Policy); Assert.AreEqual(expected.Options.ProxySettings, actual.Options.ProxySettings); }
public static T CreateClient() { var credentials = new AssumeRoleAWSCredentials(new StoredProfileAWSCredentials(), "arn:aws:iam::383514732995:role/SAFE-Dev_role", "AssumeRole"); //client = new T(credentials, AwsCommon.GetRetionEndpoint("us-east-2")); return(client); }
public void TestAssumeRoleCredentials() { var clientId = Guid.NewGuid(); var roleArn = _role.Arn; const string sessionName = "NetUser"; // sleep for IAM data to propagate Thread.Sleep(TimeSpan.FromSeconds(10)); var sts = new AmazonSecurityTokenServiceClient(_userCredentials); Thread.Sleep(TimeSpan.FromSeconds(60)); var request = new AssumeRoleRequest { RoleArn = roleArn, RoleSessionName = sessionName, DurationSeconds = 3600, ExternalId = clientId.ToString() }; var credentials = new AssumeRoleAWSCredentials(sts, request); var client = new AmazonIdentityManagementServiceClient(credentials); var response = client.ListRoles(); Assert.IsNotNull(response); }
public async Task <string> Get() { string output = string.Empty; var sharedFile = new SharedCredentialsFile(); CredentialProfile devProfile; if (sharedFile.TryGetProfile("build", out devProfile)) { BasicAWSCredentials credentials = new BasicAWSCredentials(devProfile.Options.AccessKey, devProfile.Options.SecretKey); var assumerole = new AssumeRoleAWSCredentials(credentials, devProfile.Options.RoleArn, "channelsrole"); IAmazonS3 client = new AmazonS3Client(assumerole, RegionEndpoint.USWest2); GetObjectRequest request = new GetObjectRequest(); request.BucketName = "ch2-sms-startchat-authentication"; request.Key = "Token.txt"; var response = await client.GetObjectAsync(request); using (var reader = new StreamReader(response.ResponseStream)) { output = await reader.ReadToEndAsync(); } } return(output); }
/// <exception cref="AggregateException"> /// If both InstanceProfile and EnvironmentVariable Credentials fail. /// Contains AmazonClientExceptions for both InstanceProfile and EnvironmentVariable failures</exception> /// <exception cref="AmazonClientException">If Basic (Account) Credentials fail</exception> public bool TryGetCredentials(ILog log, out AWSCredentials credentials) { credentials = null; if (Credentials.Type == "account") { try { credentials = new BasicAWSCredentials(Credentials.Account.AccessKey, Credentials.Account.SecretKey); } // Catching a generic Exception because AWS SDK throws undocumented exceptions. catch (Exception e) { log.Warn("Unable to authorise credentials, see verbose log for details."); log.Verbose($"Unable to authorise credentials for Account: {e}"); return(false); } } else { try { // If not currently running on an EC2 instance, // this will throw an exception. credentials = new InstanceProfileAWSCredentials(); } // Catching a generic Exception because AWS SDK throws undocumented exceptions. catch (Exception instanceProfileException) { try { // The last attempt is trying to use Environment Variables. credentials = new EnvironmentVariablesAWSCredentials(); } // Catching a generic Exception because AWS SDK throws undocumented exceptions. catch (Exception environmentVariablesException) { log.Warn("Unable to authorise credentials, see verbose log for details."); log.Verbose($"Unable to authorise credentials for Instance Profile: {instanceProfileException}"); log.Verbose($"Unable to authorise credentials for Environment Variables: {environmentVariablesException}"); return(false); } } } if (Role.Type == "assumeRole") { credentials = new AssumeRoleAWSCredentials(credentials, Role.Arn, Role.SessionName ?? DefaultSessionName, new AssumeRoleAWSCredentialsOptions { ExternalId = Role.ExternalId, DurationSeconds = Role.SessionDuration }); } return(true); }
AWSCredentials ICredentialsProvider.AssumeRole( AWSCredentials credentials, string role ) { var roleCredentials = new AssumeRoleAWSCredentials( credentials, role, Guid.NewGuid().ToString("N", CultureInfo.InvariantCulture)); return(roleCredentials); }
public static async Task <AWSCredentials> AssumeRoleAsync(AWSCredentials credentials, string roleArn, string roleSessionName) { var assumedCredentials = new AssumeRoleAWSCredentials(credentials, roleArn, roleSessionName); var immutableCredentials = await credentials.GetCredentialsAsync(); if (string.IsNullOrWhiteSpace(immutableCredentials.Token)) { throw new InvalidOperationException($"Unable to assume role {roleArn}"); } return(assumedCredentials); }
private static void TestCredentials(AssumeRoleAWSCredentials assumeRoleCredentials, bool expectFailure) { ListBucketsResponse response = null; using (var client = new AmazonS3Client(assumeRoleCredentials)) { // user/role setup may not be complete // so retry for a bit before giving up var stopTime = DateTime.Now.AddSeconds(30); while (response == null && DateTime.Now < stopTime) { var doSleep = true; try { response = client.ListBuckets(); Assert.AreEqual(HttpStatusCode.OK, response.HttpStatusCode); doSleep = false; } catch (AmazonClientException) { // no need to retry if we're expecting a failure if (expectFailure) { throw; } } catch (AmazonServiceException) { } if (doSleep) { Thread.Sleep(1000); } } } if (expectFailure) { Assert.Fail("The test did not receive the expected authentication failure."); } else { Assert.IsNotNull(response, "Unable to use AssumeRoleCredentials to successfully complete a request."); } }
public T Create <T>(IAwsProfile assumeProfile = default) where T : IAmazonService { AWSCredentials impersonateCredentials = _awsCredentialResolver.Resolve(_options.Value.Impersonate) ?? FallbackCredentialsFactory.GetCredentials(); AWSCredentials sdkClientCredentials = impersonateCredentials; if (assumeProfile != null) { var assumeProfileCredentials = _awsCredentialResolver.Resolve(assumeProfile); sdkClientCredentials = new AssumeRoleAWSCredentials(impersonateCredentials, assumeProfile.RoleArn, assumeProfileCredentials.Token); } var clientOfTConstructor = typeof(T).GetConstructor(new[] { typeof(AWSCredentials), typeof(RegionEndpoint) }); var clientOfT = (T)clientOfTConstructor.Invoke(new object[] { sdkClientCredentials, RegionEndpoint.GetBySystemName(_options.Value.Region) }); return(clientOfT); }
public KinesisService(KinesisConfig kinesisConfig, UserDataFilterService filterService) { this.StreamName = kinesisConfig?.StreamName ?? throw new ArgumentNullException(nameof(kinesisConfig)); this.filterService = filterService; if (!String.IsNullOrEmpty(kinesisConfig.Arn)) { AssumeRoleAWSCredentials credentials = new AssumeRoleAWSCredentials(FallbackCredentialsFactory.GetCredentials(), kinesisConfig.Arn, kinesisConfig.StsRoleSessionName, new AssumeRoleAWSCredentialsOptions { DurationSeconds = ChatConfiguration.StsCredentialExpiration }); kinesisClient = new AmazonKinesisClient(credentials); } else { kinesisClient = new AmazonKinesisClient(); } #if !XRAY2 string whitelistPath = System.Web.Hosting.HostingEnvironment.MapPath("/AWSWhitelist.json"); var tracer = new Amazon.XRay.Recorder.Handlers.AwsSdk.AWSSdkTracingHandler(AWSXRayRecorder.Instance, whitelistPath); tracer.AddEventHandler(kinesis); #endif }
public static bool CreateClient() { if (_useDynamoDBLocal) { //parse ip address and port int i = _localServiceURL.Contains("://") ? _localServiceURL.IndexOf("://") : -3; string ipAddress = _localServiceURL.Substring(i + 3); i = ipAddress.Contains(":") ? ipAddress.IndexOf(":") : -1; if (i == -1) { ShowError("ERROR: Port not found. Please specify a port"); return(false); } string portText = ipAddress.Substring(i + 1); ipAddress = ipAddress.Substring(0, i); int port = 0; if (!int.TryParse(portText, out port)) { ShowError("ERROR: Port is not a number. Please specify a valid port"); return(false); } // First, check to see whether anyone is listening on the DynamoDB local port // (by default, this is port 8000, so if you are using a different port, modify this accordingly) bool localFound = false; try { using (var tcp_client = new TcpClient()) { var result = tcp_client.BeginConnect(ipAddress, port, null, null); localFound = result.AsyncWaitHandle.WaitOne(3000); // Wait 3 seconds tcp_client.EndConnect(result); } } catch { localFound = false; } if (!localFound) { ShowError("ERROR: DynamoDB Local does not appear to have been started. Checked port " + port); return(false); } CredentialProfileStoreChain chain = new CredentialProfileStoreChain(); AWSCredentials credentials; if (!chain.TryGetAWSCredentials(_awsProfile, out credentials)) { ShowError("Profile {0} not found", _awsProfile); return(false); } RegionEndpoint region = RegionEndpoint.GetBySystemName(_awsRegion); if (region == null) { ShowError("Region {0} not found", _awsRegion); return(false); } // If DynamoDB-Local does seem to be running, so create a client ShowInfo("Setting up a DynamoDB-Local client (DynamoDB Local seems to be running)"); AmazonDynamoDBConfig ddbConfig = new AmazonDynamoDBConfig(); ddbConfig.ServiceURL = _localServiceURL; try { //_client = new AmazonDynamoDBClient(ddbConfig); _client = new AmazonDynamoDBClient(credentials, ddbConfig); } catch (Exception ex) { ShowError("FAILED to create a DynamoDBLocal client; " + ex.Message); return(false); } } else { CredentialProfileStoreChain chain = new CredentialProfileStoreChain(); AWSCredentials credentials; if (!chain.TryGetAWSCredentials(_awsProfile, out credentials)) { ShowError("Profile {0} not found", _awsProfile); return(false); } RegionEndpoint region = RegionEndpoint.GetBySystemName(_awsRegion); if (region == null) { ShowError("Region {0} not found", _awsRegion); return(false); } //If MFA is enabled on this probile, ask for an access code AssumeRoleAWSCredentials assumeCredentials = credentials as AssumeRoleAWSCredentials; if (assumeCredentials != null && !string.IsNullOrWhiteSpace(assumeCredentials.Options.MfaSerialNumber)) { assumeCredentials.Options.MfaTokenCodeCallback = () => { Console.WriteLine("Enter MFA code: "); return(Console.ReadLine()); }; } try { ShowInfo("Connecting to DynamoDB with profile {0} in region {1}", _awsProfile, _awsRegion); _client = new AmazonDynamoDBClient(credentials, region); } catch (Exception ex) { ShowError(" FAILED to create a DynamoDB client; " + ex.Message); return(false); } } return(true); }
public ActionResult Post() { try { var sharedFile = new SharedCredentialsFile(); CredentialProfile devProfile; if (sharedFile.TryGetProfile("dev", out devProfile)) { var assumeRoleResult = new AssumeRoleAWSCredentials(new SessionAWSCredentials(devProfile.Options.AccessKey, devProfile.Options.SecretKey, devProfile.Options.Token), devProfile.Options.RoleArn, "channelsrole"); String messagetype = Request.Headers["x-amz-sns-message-type"]; //If message doesn't have the message type header, don't process it. if (messagetype == null) { return(StatusCode(400)); } var message = string.Empty; using (var reader = new StreamReader(Request.Body)) { message = reader.ReadToEnd(); var sm = Amazon.SimpleNotificationService.Util.Message.ParseMessage(message); // Check the signature and throw an exception if the signature verification fails. if (isMessageSignatureValid(sm.SigningCertURL, sm.Signature, message).Result) { Debug.WriteLine("Signature verification succeeded"); if (sm.IsSubscriptionType) { var model = new Amazon.SimpleNotificationService.Model.ConfirmSubscriptionRequest(sm.TopicArn, sm.Token); AmazonSimpleNotificationServiceClient c = new AmazonSimpleNotificationServiceClient(assumeRoleResult, RegionEndpoint.USWest2); c.ConfirmSubscriptionAsync(model).Wait(); return(Ok()); // CONFIRM THE SUBSCRIPTION } if (sm.IsNotificationType) // PROCESS NOTIFICATIONS { dynamic json = JObject.Parse(sm.MessageText); //extract value: var s3OrigUrlSnippet = json.input.key.Value as string; } } else { Console.WriteLine(">>Signature verification failed"); return(StatusCode(400)); } } //do stuff return(Ok(new { })); } return(Ok(new { })); } catch (Exception ex) { //LogIt.E(ex); return(StatusCode(500, ex)); } }