public object Execute(ExecutorContext context)
{
var cmdletContext = context as CmdletContext;
// create request
var request = new Amazon.IdentityManagement.Model.PutRolePolicyRequest();
if (cmdletContext.PolicyDocument != null)
{
request.PolicyDocument = cmdletContext.PolicyDocument;
}
if (cmdletContext.PolicyName != null)
{
request.PolicyName = cmdletContext.PolicyName;
}
if (cmdletContext.RoleName != null)
{
request.RoleName = cmdletContext.RoleName;
}
CmdletOutput output;
// issue call
var client = Client ?? CreateClient(_CurrentCredentials, _RegionEndpoint);
try
{
var response = CallAWSServiceOperation(client, request);
object pipelineOutput = null;
pipelineOutput = cmdletContext.Select(response, this);
output = new CmdletOutput
{
PipelineOutput = pipelineOutput,
ServiceResponse = response
};
}
catch (Exception e)
{
output = new CmdletOutput {
ErrorResponse = e
};
}
return(output);
}
/// <summary>
/// Initiates the asynchronous execution of the PutRolePolicy operation.
/// <seealso cref="Amazon.IdentityManagement.IAmazonIdentityManagementService"/>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public Task<PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;
return InvokeAsync<PutRolePolicyRequest,PutRolePolicyResponse>(request, marshaller,
unmarshaller, cancellationToken);
}
internal PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest request)
{
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;
return Invoke<PutRolePolicyRequest,PutRolePolicyResponse>(request, marshaller, unmarshaller);
}
IAsyncResult invokePutRolePolicy(PutRolePolicyRequest putRolePolicyRequest, AsyncCallback callback, object state, bool synchronized)
{
IRequest irequest = new PutRolePolicyRequestMarshaller().Marshall(putRolePolicyRequest);
var unmarshaller = PutRolePolicyResponseUnmarshaller.GetInstance();
AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller);
Invoke(result);
return result;
}
/// <summary>
/// <para>Adds (or updates) a policy document associated with the specified role. For information about policies, refer to Overview of Policies
/// in <i>Using AWS Identity and Access Management</i> .</para> <para>For information about limits on the number of policies you can associate
/// with a role, see Limitations on IAM Entities in <i>Using AWS Identity and Access Management</i> .</para> <para><b>NOTE:</b>Because policy
/// documents can be large, you should use POST rather than GET when calling PutRolePolicy. For information about setting up signatures and
/// authorization through the API, go to Signing AWS API Requests in the AWS General Reference. For general information about using the Query
/// API with IAM, go to Making Query Requests in Using IAM.</para>
/// </summary>
///
/// <param name="putRolePolicyRequest">Container for the necessary parameters to execute the PutRolePolicy service method on
/// AmazonIdentityManagementService.</param>
///
/// <exception cref="MalformedPolicyDocumentException"/>
/// <exception cref="NoSuchEntityException"/>
/// <exception cref="LimitExceededException"/>
public PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest putRolePolicyRequest)
{
IAsyncResult asyncResult = invokePutRolePolicy(putRolePolicyRequest, null, null, true);
return EndPutRolePolicy(asyncResult);
}
/// <summary>
/// Initiates the asynchronous execution of the PutRolePolicy operation.
/// <seealso cref="Amazon.IdentityManagement.AmazonIdentityManagementService.PutRolePolicy"/>
/// </summary>
///
/// <param name="putRolePolicyRequest">Container for the necessary parameters to execute the PutRolePolicy operation on
/// AmazonIdentityManagementService.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
public IAsyncResult BeginPutRolePolicy(PutRolePolicyRequest putRolePolicyRequest, AsyncCallback callback, object state)
{
return invokePutRolePolicy(putRolePolicyRequest, callback, state, false);
}
/// <summary>
/// Initiates the asynchronous execution of the PutRolePolicy operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation on AmazonIdentityManagementServiceClient.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndPutRolePolicy
/// operation.</returns>
public IAsyncResult BeginPutRolePolicy(PutRolePolicyRequest request, AsyncCallback callback, object state)
{
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;
return BeginInvoke<PutRolePolicyRequest>(request, marshaller, unmarshaller,
callback, state);
}
/// <summary>
/// Initiates the asynchronous execution of the PutRolePolicy operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation on AmazonIdentityManagementServiceClient.</param>
/// <param name="callback">An Action delegate that is invoked when the operation completes.</param>
/// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
public void PutRolePolicyAsync(PutRolePolicyRequest request, AmazonServiceCallback<PutRolePolicyRequest, PutRolePolicyResponse> callback, AsyncOptions options = null)
{
options = options == null?new AsyncOptions():options;
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;
Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null;
if(callback !=null )
callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => {
AmazonServiceResult<PutRolePolicyRequest,PutRolePolicyResponse> responseObject
= new AmazonServiceResult<PutRolePolicyRequest,PutRolePolicyResponse>((PutRolePolicyRequest)req, (PutRolePolicyResponse)res, ex , ao.State);
callback(responseObject);
};
BeginInvoke<PutRolePolicyRequest>(request, marshaller, unmarshaller, options, callbackHelper);
}
/// <summary>
/// Initiates the asynchronous execution of the PutRolePolicy operation.
/// <seealso cref="Amazon.IdentityManagement.IAmazonIdentityManagementService.PutRolePolicy"/>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public async Task<PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest request, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.GetInstance();
var response = await Invoke<IRequest, PutRolePolicyRequest, PutRolePolicyResponse>(request, marshaller, unmarshaller, signer, cancellationToken)
.ConfigureAwait(continueOnCapturedContext: false);
return response;
}
/// <summary>
/// <para>Adds (or updates) a policy document associated with the specified role. For information about policies, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?PoliciesOverview.html">Overview of Policies</a> in <i>Using AWS Identity
/// and Access Management</i> .</para> <para>For information about limits on the policies you can associate with a role, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?LimitationsOnEntities.html">Limitations on IAM Entities</a> in <i>Using
/// AWS Identity and Access Management</i> .</para> <para><b>NOTE:</b>Because policy documents can be large, you should use POST rather than GET
/// when calling PutRolePolicy. For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in
/// the AWS General Reference. For general information about using the Query API with IAM, go to Making Query Requests in Using IAM.</para>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the PutRolePolicy service method on
/// AmazonIdentityManagementService.</param>
///
/// <exception cref="T:Amazon.IdentityManagement.Model.MalformedPolicyDocumentException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.NoSuchEntityException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.LimitExceededException" />
public PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest request)
{
var task = PutRolePolicyAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
throw e.InnerException;
}
}
private Amazon.IdentityManagement.Model.PutRolePolicyResponse CallAWSServiceOperation(IAmazonIdentityManagementService client, Amazon.IdentityManagement.Model.PutRolePolicyRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Identity and Access Management", "PutRolePolicy");
try
{
#if DESKTOP
return(client.PutRolePolicy(request));
#elif CORECLR
return(client.PutRolePolicyAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
/// <summary>
/// <para>Adds (or updates) a policy document associated with the specified role. For information about policies, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?PoliciesOverview.html">Overview of Policies</a> in <i>Using AWS Identity
/// and Access Management</i> .</para> <para>For information about limits on the policies you can associate with a role, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?LimitationsOnEntities.html">Limitations on IAM Entities</a> in <i>Using
/// AWS Identity and Access Management</i> .</para> <para><b>NOTE:</b>Because policy documents can be large, you should use POST rather than GET
/// when calling PutRolePolicy. For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in
/// the AWS General Reference. For general information about using the Query API with IAM, go to Making Query Requests in Using IAM.</para>
/// </summary>
///
/// <param name="putRolePolicyRequest">Container for the necessary parameters to execute the PutRolePolicy service method on
/// AmazonIdentityManagementService.</param>
///
/// <exception cref="T:Amazon.IdentityManagement.Model.MalformedPolicyDocumentException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.NoSuchEntityException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.LimitExceededException" />
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
public Task<PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest putRolePolicyRequest, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.GetInstance();
return Invoke<IRequest, PutRolePolicyRequest, PutRolePolicyResponse>(putRolePolicyRequest, marshaller, unmarshaller, signer, cancellationToken);
}
internal PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest request)
{
var task = PutRolePolicyAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
ExceptionDispatchInfo.Capture(e.InnerException).Throw();
return null;
}
}
public virtual string PrepMode_CreateRole(AmazonIdentityManagementServiceClient iamClient, string roleName,
string policyText, string trustRelationshipText)
{
var roleArn = String.Empty;
// Use the CreateRoleRequest object to define the role. The AssumeRolePolicyDocument property should be
// set to the value of the trustRelationshipText parameter.
var createRoleRequest = new CreateRoleRequest
{
AssumeRolePolicyDocument = trustRelationshipText,
RoleName = roleName
};
roleArn = iamClient.CreateRole(createRoleRequest).Role.Arn;
// Use the PutRolePolicyRequest object to define the request. Select whatever policy name you would like.
// The PolicyDocument property is there the policy is described.
var putRolePolicyRequest = new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = String.Format("{0}_policy", roleName),
PolicyDocument = policyText
};
iamClient.PutRolePolicy(putRolePolicyRequest);
return roleArn;
}
IAsyncResult invokePutRolePolicy(PutRolePolicyRequest request, AsyncCallback callback, object state, bool synchronized)
{
var marshaller = new PutRolePolicyRequestMarshaller();
var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;
return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer);
}
public static void Test(string identityProvider)
{
// Login with credentials to create the role
// credentials are defined in app.config
var iamClient = new AmazonIdentityManagementServiceClient();
string providerURL = null,
providerAppIdName = null,
providerUserIdName = null,
providerAppId = null;
switch (identityProvider)
{
case "Facebook":
providerURL = "graph.facebook.com";
providerAppIdName = "app_id";
providerUserIdName = "id";
break;
case "Google":
providerURL = "accounts.google.com";
providerAppIdName = "aud";
providerUserIdName = "sub";
break;
case "Amazon":
providerURL = "www.amazon.com";
providerAppIdName = "app_id";
providerUserIdName = "user_id";
break;
}
//identity provider specific AppId is loaded from app.config (e.g)
// FacebookProviderAppId. GoogleProviderAppId, AmazonProviderAppId
providerAppId = ConfigurationManager.AppSettings[identityProvider +
"ProviderAppId"];
// Since the string is passed to String.Format, '{' & '}' has to be escaped.
// Policy document specifies who can invoke AssumeRoleWithWebIdentity
string trustPolicyTemplate = @"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Effect"": ""Allow"",
""Principal"": {{ ""Federated"": ""{1}"" }},
""Action"": ""sts:AssumeRoleWithWebIdentity"",
""Condition"": {{
""StringEquals"": {{""{1}:{2}"": ""{3}""}}
}}
}}
]
}}";
// Defines what permissions to grant when AssumeRoleWithWebIdentity is called
string accessPolicyTemplate = @"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Effect"":""Allow"",
""Action"":[""s3:GetObject"", ""s3:PutObject"", ""s3:DeleteObject""],
""Resource"": [
""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}"",
""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}/*""
]
}}
]
}}";
// Create Trust policy
CreateRoleRequest createRoleRequest = new CreateRoleRequest
{
RoleName = "federationtestrole",
AssumeRolePolicyDocument = string.Format(trustPolicyTemplate,
identityProvider,
providerURL,
providerAppIdName,
providerAppId)
};
Console.WriteLine("\nTrust Policy Document:\n{0}\n",
createRoleRequest.AssumeRolePolicyDocument);
CreateRoleResponse createRoleResponse = iamClient.CreateRole(createRoleRequest);
// Create Access policy (Permissions)
PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest
{
PolicyName = "federationtestrole-rolepolicy",
RoleName = "federationtestrole",
PolicyDocument = string.Format(accessPolicyTemplate,
identityProvider,
providerURL,
providerAppIdName,
providerAppId,
providerUserIdName)
};
Console.WriteLine("\nAccess Policy Document (Permissions):\n{0}\n",
putRolePolicyRequest.PolicyDocument);
PutRolePolicyResponse putRolePolicyResponse = iamClient.PutRolePolicy(
putRolePolicyRequest);
// Sleep for the policy to replicate
System.Threading.Thread.Sleep(5000);
AmazonS3Config config = new AmazonS3Config
{
ServiceURL = "s3.amazonaws.com",
RegionEndpoint = Amazon.RegionEndpoint.USEast1
};
Federation federationTest = new Federation();
AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = null;
switch (identityProvider)
{
case "Facebook":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingFacebook(
providerAppId,
createRoleResponse.Role.Arn);
break;
case "Google":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingGoogle(
providerAppId,
createRoleResponse.Role.Arn);
//Uncomment to perform two step process
//assumeRoleWithWebIdentityResponse =
// federationTest.GetTemporaryCredentialUsingGoogle(
// providerAppId,
// ConfigurationManager.AppSettings["GoogleProviderAppIdSecret"],
// createRoleResponse.Role.Arn);
break;
case "Amazon":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingAmazon(
ConfigurationManager.AppSettings["AmazonProviderClientId"],
createRoleResponse.Role.Arn);
break;
}
S3Test s3Test = new S3Test();
s3Test.CreateS3Bucket("federationtestbucket",
identityProvider + "/" +
assumeRoleWithWebIdentityResponse.SubjectFromWebIdentityToken,
assumeRoleWithWebIdentityResponse.Credentials, config);
DeleteRolePolicyResponse deleteRolePolicyResponse =
iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
{
PolicyName = "federationtestrole-rolepolicy",
RoleName = "federationtestrole"
});
DeleteRoleResponse deleteRoleResponse =
iamClient.DeleteRole(new DeleteRoleRequest
{
RoleName = "federationtestrole"
});
}
