public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole)
{
string[] role = awsRole.Split(',');
AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest();
samlRequest.SAMLAssertion = samlAssertion;
samlRequest.RoleArn = role[1];
samlRequest.PrincipalArn = role[0];
samlRequest.DurationSeconds = 3600;
AmazonSecurityTokenServiceClient sts;
AssumeRoleWithSAMLResponse samlResponse;
try {
sts = new AmazonSecurityTokenServiceClient();
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
catch
{
sts = new AmazonSecurityTokenServiceClient("a", "b", "c");
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(
samlResponse.Credentials.AccessKeyId,
samlResponse.Credentials.SecretAccessKey,
samlResponse.Credentials.SessionToken);
return sessionCredentials;
}
/// <summary>
/// Instantiates STSAssumeRoleAWSCredentials which automatically assumes a specified SAML role.
/// The credentials are refreshed before expiration.
/// </summary>
/// <param name="assumeRoleWithSamlRequest">Configuration for the SAML role to assume.</param>
public STSAssumeRoleAWSCredentials(AssumeRoleWithSAMLRequest assumeRoleWithSamlRequest)
{
if (assumeRoleWithSamlRequest == null) throw new ArgumentNullException("assumeRoleWithSamlRequest");
_stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
_assumeSamlRequest = assumeRoleWithSamlRequest;
PreemptExpiryTime = _defaultPreemptExpiryTime;
}
public object Execute(ExecutorContext context)
{
var cmdletContext = context as CmdletContext;
// create request
var request = new Amazon.SecurityToken.Model.AssumeRoleWithSAMLRequest();
if (cmdletContext.DurationInSeconds != null)
{
request.DurationSeconds = cmdletContext.DurationInSeconds.Value;
}
if (cmdletContext.Policy != null)
{
request.Policy = cmdletContext.Policy;
}
if (cmdletContext.PrincipalArn != null)
{
request.PrincipalArn = cmdletContext.PrincipalArn;
}
if (cmdletContext.RoleArn != null)
{
request.RoleArn = cmdletContext.RoleArn;
}
if (cmdletContext.SAMLAssertion != null)
{
request.SAMLAssertion = cmdletContext.SAMLAssertion;
}
CmdletOutput output;
// issue call
var client = Client ?? CreateClient();
try
{
var response = CallAWSServiceOperation(client, request);
object pipelineOutput = cmdletContext.Select(response, this);
output = new CmdletOutput
{
PipelineOutput = pipelineOutput,
ServiceResponse = response
};
}
catch (Exception e)
{
output = new CmdletOutput {
ErrorResponse = e
};
}
return(output);
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithSAML operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation on AmazonSecurityTokenServiceClient.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndAssumeRoleWithSAML
/// operation.</returns>
public IAsyncResult BeginAssumeRoleWithSAML(AssumeRoleWithSAMLRequest request, AsyncCallback callback, object state)
{
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance;
return BeginInvoke<AssumeRoleWithSAMLRequest>(request, marshaller, unmarshaller,
callback, state);
}
/// <summary>
/// Returns a set of temporary security credentials for users who have been authenticated
/// via a SAML authentication response. This operation provides a mechanism for tying
/// an enterprise identity store or directory to role-based AWS access without user-specific
/// credentials or configuration.
///
///
/// <para>
/// The temporary security credentials returned by this operation consist of an access
/// key ID, a secret access key, and a security token. Applications can use these temporary
/// security credentials to sign calls to AWS services. The credentials are valid for
/// the duration that you specified when calling <code>AssumeRoleWithSAML</code>, which
/// can be up to 3600 seconds (1 hour) or until the time specified in the SAML authentication
/// response's <code>SessionNotOnOrAfter</code> value, whichever is shorter.
/// </para>
/// <note>The maximum duration for a session is 1 hour, and the minimum duration is 15
/// minutes, even if values outside this range are specified. </note>
/// <para>
/// Optionally, you can pass an IAM access policy to this operation. If you choose not
/// to pass a policy, the temporary security credentials that are returned by the operation
/// have the permissions that are defined in the access policy of the role that is being
/// assumed. If you pass a policy to this operation, the temporary security credentials
/// that are returned by the operation have the permissions that are allowed by both the
/// access policy of the role that is being assumed, <i><b>and</b></i> the policy that
/// you pass. This gives you a way to further restrict the permissions for the resulting
/// temporary security credentials. You cannot use the passed policy to grant permissions
/// that are in excess of those allowed by the access policy of the role that is being
/// assumed. For more information, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html">Permissions
/// for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in the <i>Using
/// IAM</i>.
/// </para>
///
/// <para>
/// Before your application can call <code>AssumeRoleWithSAML</code>, you must configure
/// your SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
/// you must use AWS Identity and Access Management (IAM) to create a SAML provider entity
/// in your AWS account that represents your identity provider, and create an IAM role
/// that specifies this SAML provider in its trust policy.
/// </para>
///
/// <para>
/// Calling <code>AssumeRoleWithSAML</code> does not require the use of AWS security credentials.
/// The identity of the caller is validated by using keys in the metadata document that
/// is uploaded for the SAML provider entity for your identity provider.
/// </para>
///
/// <para>
/// For more information, see the following resources:
/// </para>
/// <ul> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html">About
/// SAML 2.0-based Federation</a> in the <i>Using IAM</i>. </li> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html">Creating
/// SAML Identity Providers</a> in the <i>Using IAM</i>. </li> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html">Configuring
/// a Relying Party and Claims</a> in the <i>Using IAM</i>. </li> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html">Creating
/// a Role for SAML 2.0 Federation</a> in the <i>Using IAM</i>. </li> </ul> <member name="RoleArn"
/// target="arnType"></member> <member name="SAMLAssertion" target="SAMLAssertionType"></member>
/// <member name="Policy" target="sessionPolicyDocumentType"></member> <member name="DurationSeconds"
/// target="roleDurationSecondsType"></member>
/// </summary>
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML service method.</param>
///
/// <returns>The response from the AssumeRoleWithSAML service method, as returned by SecurityTokenService.</returns>
/// <exception cref="Amazon.SecurityToken.Model.ExpiredTokenException">
/// The web identity token that was passed is expired or is not valid. Get a new identity
/// token from the identity provider and then retry the request.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.IDPRejectedClaimException">
/// The identity provider (IdP) reported that authentication failed. This might be because
/// the claim is invalid.
///
///
/// <para>
/// If this error is returned for the <code>AssumeRoleWithWebIdentity</code> operation,
/// it can also mean that the claim has expired or has been explicitly revoked.
/// </para>
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.InvalidIdentityTokenException">
/// The web identity token that was passed could not be validated by AWS. Get a new identity
/// token from the identity provider and then retry the request.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.MalformedPolicyDocumentException">
/// The request was rejected because the policy document was malformed. The error message
/// describes the specific error.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.PackedPolicyTooLargeException">
/// The request was rejected because the policy document was too large. The error message
/// describes how big the policy document is, in packed form, as a percentage of what
/// the API allows.
/// </exception>
public AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest request)
{
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance;
return Invoke<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse>(request, marshaller, unmarshaller);
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithSAML operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public Task<AssumeRoleWithSAMLResponse> AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance;
return InvokeAsync<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse>(request, marshaller,
unmarshaller, cancellationToken);
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithSAML operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation on AmazonSecurityTokenServiceClient.</param>
/// <param name="callback">An Action delegate that is invoked when the operation completes.</param>
/// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
public void AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest request, AmazonServiceCallback<AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse> callback, AsyncOptions options = null)
{
options = options == null?new AsyncOptions():options;
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance;
Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null;
if(callback !=null )
callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => {
AmazonServiceResult<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse> responseObject
= new AmazonServiceResult<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse>((AssumeRoleWithSAMLRequest)req, (AssumeRoleWithSAMLResponse)res, ex , ao.State);
callback(responseObject);
};
BeginInvoke<AssumeRoleWithSAMLRequest>(request, marshaller, unmarshaller, options, callbackHelper);
}
IAsyncResult invokeAssumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest, AsyncCallback callback, object state, bool synchronized)
{
IRequest irequest = new AssumeRoleWithSAMLRequestMarshaller().Marshall(assumeRoleWithSAMLRequest);
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.GetInstance();
AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller);
Invoke(result);
return result;
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithSAML operation.
/// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithSAML"/>
/// </summary>
///
/// <param name="assumeRoleWithSAMLRequest">Container for the necessary parameters to execute the AssumeRoleWithSAML operation on
/// AmazonSecurityTokenService.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking
/// EndAssumeRoleWithSAML operation.</returns>
public IAsyncResult BeginAssumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest, AsyncCallback callback, object state)
{
return invokeAssumeRoleWithSAML(assumeRoleWithSAMLRequest, callback, state, false);
}
/// <summary>
/// <para> Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This
/// operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific
/// credentials or configuration. </para> <para> The temporary security credentials returned by this operation consist of an access key ID, a
/// secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services. The
/// credentials are valid for the duration that you specified when calling <c>AssumeRoleWithSAML</c> , which can be up to 3600 seconds (1 hour)
/// or until the time specified in the SAML authentication response's <c>NotOnOrAfter</c> value, whichever is shorter.</para>
/// <para><b>NOTE:</b>The maximum duration for a session is 1 hour, and the minimum duration is 15 minutes, even if values outside this range
/// are specified. </para> <para>Optionally, you can pass an AWS IAM access policy to this operation. The temporary security credentials that
/// are returned by the operation have the permissions that are associated with the access policy of the role being assumed, except for any
/// permissions explicitly denied by the policy you pass. This gives you a way to further restrict the permissions for the resulting temporary
/// security credentials. These policies and any applicable resource-based policies are evaluated when calls to AWS are made using the temporary
/// security credentials. </para> <para> Before your application can call <c>AssumeRoleWithSAML</c> , you must configure your SAML identity
/// provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (AWS IAM) to create a SAML
/// provider entity in your AWS account that represents your identity provider, and create an AWS IAM role that specifies this SAML provider in
/// its trust policy. </para> <para> Calling <c>AssumeRoleWithSAML</c> does not require the use of AWS security credentials. The identity of the
/// caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider. </para>
/// <para>For more information, see the following resources:</para>
/// <ul>
/// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html" >Creating Temporary Security Credentials for SAML
/// Federation</a> in the <i>Using Temporary Security Credentials</i> guide. </li>
/// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html" >SAML Providers</a> in the <i>Using
/// IAM</i> guide. </li>
/// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html" >Configuring a Relying Party and Claims in
/// the Using IAM guide. </a> </li>
/// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html" >Creating a Role for SAML-Based Federation</a> in the
/// <i>Using IAM</i> guide. </li>
///
/// </ul>
///
/// </summary>
///
/// <param name="assumeRoleWithSAMLRequest">Container for the necessary parameters to execute the AssumeRoleWithSAML service method on
/// AmazonSecurityTokenService.</param>
///
/// <returns>The response from the AssumeRoleWithSAML service method, as returned by AmazonSecurityTokenService.</returns>
///
/// <exception cref="PackedPolicyTooLargeException"/>
/// <exception cref="IDPRejectedClaimException"/>
/// <exception cref="MalformedPolicyDocumentException"/>
/// <exception cref="InvalidIdentityTokenException"/>
/// <exception cref="ExpiredTokenException"/>
public AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest)
{
IAsyncResult asyncResult = invokeAssumeRoleWithSAML(assumeRoleWithSAMLRequest, null, null, true);
return EndAssumeRoleWithSAML(asyncResult);
}
IAsyncResult invokeAssumeRoleWithSAML(AssumeRoleWithSAMLRequest request, AsyncCallback callback, object state, bool synchronized)
{
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance;
return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer);
}
/// <summary>
/// <para> Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This
/// operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific
/// credentials or configuration. </para> <para> The temporary security credentials returned by this operation consist of an access key ID, a
/// secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services. The
/// credentials are valid for the duration that you specified when calling <c>AssumeRoleWithSAML</c> , which can be up to 3600 seconds (1 hour)
/// or until the time specified in the SAML authentication response's <c>NotOnOrAfter</c> value, whichever is shorter.</para>
/// <para><b>NOTE:</b>The maximum duration for a session is 1 hour, and the minimum duration is 15 minutes, even if values outside this range
/// are specified. </para> <para>Optionally, you can pass an AWS IAM access policy to this operation. The temporary security credentials that
/// are returned by the operation have the permissions that are associated with the access policy of the role being assumed, except for any
/// permissions explicitly denied by the policy you pass. This gives you a way to further restrict the permissions for the federated user. These
/// policies and any applicable resource-based policies are evaluated when calls to AWS are made using the temporary security credentials.
/// </para> <para> Before your application can call <c>AssumeRoleWithSAML</c> , you must configure your SAML identity provider (IdP) to issue
/// the claims required by AWS. Additionally, you must use AWS Identity and Access Management (AWS IAM) to create a SAML provider entity in your
/// AWS account that represents your identity provider, and create an AWS IAM role that specifies this SAML provider in its trust policy.
/// </para> <para> Calling <c>AssumeRoleWithSAML</c> does not require the use of AWS security credentials. The identity of the caller is
/// validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider. </para> <para>For
/// more information, see the following resources:</para>
/// <ul>
/// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html">Creating Temporary Security Credentials for SAML
/// Federation</a> in the <i>Using Temporary Security Credentials</i> guide. </li>
/// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html">SAML Providers</a> in the <i>Using
/// IAM</i> guide. </li>
/// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html">Configuring a Relying Party and Claims in
/// the Using IAM guide. </a> </li>
/// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html">Creating a Role for SAML-Based Federation</a> in the
/// <i>Using IAM</i> guide. </li>
///
/// </ul>
///
/// </summary>
///
/// <param name="assumeRoleWithSAMLRequest">Container for the necessary parameters to execute the AssumeRoleWithSAML service method on
/// AmazonSecurityTokenService.</param>
///
/// <returns>The response from the AssumeRoleWithSAML service method, as returned by AmazonSecurityTokenService.</returns>
///
/// <exception cref="T:Amazon.SecurityToken.Model.PackedPolicyTooLargeException" />
/// <exception cref="T:Amazon.SecurityToken.Model.IDPRejectedClaimException" />
/// <exception cref="T:Amazon.SecurityToken.Model.MalformedPolicyDocumentException" />
/// <exception cref="T:Amazon.SecurityToken.Model.InvalidIdentityTokenException" />
/// <exception cref="T:Amazon.SecurityToken.Model.ExpiredTokenException" />
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
public Task<AssumeRoleWithSAMLResponse> AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.GetInstance();
return Invoke<IRequest, AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse>(assumeRoleWithSAMLRequest, marshaller, unmarshaller, signer, cancellationToken);
}
internal AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest request)
{
var task = AssumeRoleWithSAMLAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
throw e.InnerException;
}
}
internal AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest request)
{
var task = AssumeRoleWithSAMLAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
ExceptionDispatchInfo.Capture(e.InnerException).Throw();
return null;
}
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithSAML operation.
/// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithSAML"/>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public async Task<AssumeRoleWithSAMLResponse> AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest request, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new AssumeRoleWithSAMLRequestMarshaller();
var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.GetInstance();
var response = await Invoke<IRequest, AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse>(request, marshaller, unmarshaller, signer, cancellationToken)
.ConfigureAwait(continueOnCapturedContext: false);
return response;
}
private Amazon.SecurityToken.Model.AssumeRoleWithSAMLResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.AssumeRoleWithSAMLRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service", "AssumeRoleWithSAML");
try
{
#if DESKTOP
return(client.AssumeRoleWithSAML(request));
#elif CORECLR
return(client.AssumeRoleWithSAMLAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
