private static void SetupIfFederatedCredentials( AWSCredentials credentials, PSHost psHost, IAWSCredentialsArguments self, SessionState sessionState) { // if we have picked up a SAML-based credentials profile, make sure the callback // to authenticate the user is set. The underlying SDK will then call us back // if it needs to (we could skip setting if the profile indicates its for the // default identity, but it's simpler to just set up anyway) var samlCredentials = credentials as FederatedAWSCredentials; if (samlCredentials != null) { // set up callback var state = new SAMLCredentialCallbackState { Host = psHost, CmdletNetworkCredentialParameter = self.NetworkCredential }; samlCredentials.Options.CredentialRequestCallback = UserCredentialCallbackHandler; samlCredentials.Options.CustomCallbackState = state; // set up proxy samlCredentials.Options.ProxySettings = GetWebProxy(self, sessionState); } }
private static void SetProxyAndCallbackIfNecessary( AWSCredentials innerCredentials, IAWSCredentialsArguments self, PSHost psHost, SessionState sessionState) { SetupIfFederatedCredentials(innerCredentials, psHost, self, sessionState); SetupIfAssumeRoleCredentials(innerCredentials, self, sessionState); }
private static void SetupIfAssumeRoleCredentials(AWSCredentials credentials, IAWSCredentialsArguments self, SessionState sessionState) { var assumeRoleCredentials = credentials as AssumeRoleAWSCredentials; if (assumeRoleCredentials != null) { // set up callback assumeRoleCredentials.Options.MfaTokenCodeCallback = ReadMFACode; // set up proxy assumeRoleCredentials.Options.ProxySettings = GetWebProxy(self, sessionState); } }
private static WebProxy GetWebProxy(IAWSCredentialsArguments self, SessionState sessionState) { var proxySettings = ProxySettings.GetFromSettingsVariable(sessionState); return(proxySettings != null?proxySettings.GetWebProxy() : null); }
public static bool TryGetCredentials( this IAWSCredentialsArguments self, PSHost psHost, out AWSPSCredentials credentials, SessionState sessionState) { if (self == null) { throw new ArgumentNullException("self"); } credentials = null; string name = null; var source = CredentialsSource.Unknown; var userSpecifiedProfile = !string.IsNullOrEmpty(self.ProfileName); var profileChain = new CredentialProfileStoreChain(self.ProfileLocation); // we probe for credentials by first checking the bound parameters to see if explicit credentials // were supplied (keys, profile name, credential object), overriding anything in the shell environment if (AWSCredentialsFactory.TryGetAWSCredentials( self.GetCredentialProfileOptions(), profileChain, out var innerCredentials)) { source = CredentialsSource.Strings; name = "Supplied Key Parameters"; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } // user gave us the profile name? if (innerCredentials == null && userSpecifiedProfile) { if (profileChain.TryGetProfile(self.ProfileName, out var credentialProfile)) { innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain); source = CredentialsSource.Profile; name = self.ProfileName; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } else { // if the user gave us an explicit profile name (and optional location) it's an error if we // don't find it as otherwise we could drop through and pick up a 'default' profile that is // for a different account return(false); } } // how about an aws credentials object? if (innerCredentials == null && self.Credential != null) { innerCredentials = self.Credential; source = CredentialsSource.CredentialsObject; name = "Credentials Object"; // don't set proxy and callback, use self.Credential as-is } // shell session variable set (this allows override of machine-wide environment variables) if (innerCredentials == null && sessionState != null) { if (TryGetAWSPSCredentialsFromConflictingType( sessionState.PSVariable.GetValue(SessionKeys.AWSCredentialsVariableName), out var psCredentials)) { credentials = psCredentials; source = CredentialsSource.Session; innerCredentials = credentials.Credentials; // so remaining probes are skipped // don't set proxy and callback, use credentials.Credentials as-is } } // no explicit command-level or shell instance override set, start to inspect the environment // starting environment variables if (innerCredentials == null) { try { var environmentCredentials = new EnvironmentVariablesAWSCredentials(); innerCredentials = environmentCredentials; source = CredentialsSource.Environment; name = "Environment Variables"; // no need to set proxy and callback - only basic or session credentials } catch { } } // get credentials from a 'default' profile? if (innerCredentials == null && !userSpecifiedProfile) { if (profileChain.TryGetProfile(SettingsStore.PSDefaultSettingName, out var credentialProfile) && credentialProfile.CanCreateAWSCredentials) { innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain); source = CredentialsSource.Profile; name = SettingsStore.PSDefaultSettingName; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } } // get credentials from a legacy default profile name? if (innerCredentials == null) { if (profileChain.TryGetProfile(SettingsStore.PSLegacyDefaultSettingName, out var credentialProfile) && credentialProfile.CanCreateAWSCredentials) { if (AWSCredentialsFactory.TryGetAWSCredentials( credentialProfile, profileChain, out innerCredentials)) { source = CredentialsSource.Profile; name = SettingsStore.PSLegacyDefaultSettingName; SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState); } } } if (innerCredentials == null) { // try and load credentials from ECS endpoint (if the relevant environment variable is set) // or EC2 Instance Profile as a last resort try { var relativeUri = Environment.GetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable); var fullUri = Environment.GetEnvironmentVariable( ECSTaskCredentials.ContainerCredentialsFullURIEnvVariable); if (!string.IsNullOrEmpty(relativeUri) || !string.IsNullOrEmpty(fullUri)) { innerCredentials = new ECSTaskCredentials(); source = CredentialsSource.Container; name = "Container"; // no need to set proxy and callback } else { innerCredentials = new InstanceProfileAWSCredentials(); source = CredentialsSource.InstanceProfile; name = "Instance Profile"; // no need to set proxy and callback } } catch { innerCredentials = null; } } if (credentials == null && innerCredentials != null) { credentials = new AWSPSCredentials(innerCredentials, name, source); } return(credentials != null); }