public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole) { string[] role = awsRole.Split(','); AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest(); samlRequest.SAMLAssertion = samlAssertion; samlRequest.RoleArn = role[1]; samlRequest.PrincipalArn = role[0]; samlRequest.DurationSeconds = 3600; AmazonSecurityTokenServiceClient sts; AssumeRoleWithSAMLResponse samlResponse; try { sts = new AmazonSecurityTokenServiceClient(); samlResponse = sts.AssumeRoleWithSAML(samlRequest); } catch { sts = new AmazonSecurityTokenServiceClient("a", "b", "c"); samlResponse = sts.AssumeRoleWithSAML(samlRequest); } SessionAWSCredentials sessionCredentials = new SessionAWSCredentials( samlResponse.Credentials.AccessKeyId, samlResponse.Credentials.SecretAccessKey, samlResponse.Credentials.SessionToken); return sessionCredentials; }
public Deployer(AwsConfiguration awsConfiguration) { _awsEndpoint = awsConfiguration.AwsEndpoint; _bucket = awsConfiguration.Bucket; _assumeRoleTrustDocument = awsConfiguration.AssumeRoleTrustDocument; _iamRolePolicyDocument = awsConfiguration.IamRolePolicyDocument; AWSCredentials credentials; if (isArn(awsConfiguration.RoleName)) { var securityTokenServiceClient = new AmazonSecurityTokenServiceClient(awsConfiguration.AwsEndpoint); var assumeRoleResult = securityTokenServiceClient.AssumeRole(new AssumeRoleRequest { RoleArn = awsConfiguration.RoleName, DurationSeconds = 3600, RoleSessionName = "Net2User", ExternalId = Guid.NewGuid().ToString() }); Credentials stsCredentials = assumeRoleResult.Credentials; SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(stsCredentials.AccessKeyId, stsCredentials.SecretAccessKey, stsCredentials.SessionToken); credentials = sessionCredentials; _role = new AssumedRole(assumeRoleResult.AssumedRoleUser); } else { credentials = awsConfiguration.Credentials ?? new EnvironmentAWSCredentials(); } _codeDeployClient = new AmazonCodeDeployClient( credentials, new AmazonCodeDeployConfig { RegionEndpoint = awsConfiguration.AwsEndpoint, ProxyHost = awsConfiguration.ProxyHost, ProxyPort = awsConfiguration.ProxyPort }); _cloudFormationClient = new AmazonCloudFormationClient( credentials, new AmazonCloudFormationConfig { RegionEndpoint = awsConfiguration.AwsEndpoint, ProxyHost = awsConfiguration.ProxyHost, ProxyPort = awsConfiguration.ProxyPort }); _s3Client = new AmazonS3Client( credentials, new AmazonS3Config { RegionEndpoint = awsConfiguration.AwsEndpoint, ProxyHost = awsConfiguration.ProxyHost, ProxyPort = awsConfiguration.ProxyPort }); _iamClient = new AmazonIdentityManagementServiceClient( credentials, new AmazonIdentityManagementServiceConfig { RegionEndpoint = awsConfiguration.AwsEndpoint, ProxyHost = awsConfiguration.ProxyHost, ProxyPort = awsConfiguration.ProxyPort }); _autoScalingClient = new AmazonAutoScalingClient( credentials, new AmazonAutoScalingConfig { RegionEndpoint = awsConfiguration.AwsEndpoint, ProxyHost = awsConfiguration.ProxyHost, ProxyPort = awsConfiguration.ProxyPort }); }
/// <summary> /// Resolves the set of <see cref="AWSCredentials">AWS Credentials</see> based on the /// combination of credential-related parameters that are specified. /// </summary> /// <remarks> /// The order of resolution is as follows: /// <list> /// <item> /// 1. If AccessKeyId is found /// <item>a. If Session Token is found, returns Session AWS Credential</item> /// <item>b. If no Session Token, returns a Base AWS Credential</item> /// </item> /// <item> /// 2. If Profile Name is found, return a Stored Profile AWS Credential, with /// an optional, overridden Profile Location /// </item> /// <item> /// 3. If an IAM Role Name is specified, get the credentials from the local /// EC2 instance IAM Role environment; if the special name '*' is used, /// it uses the first IAM Role found in the current EC2 environment /// </item> /// <item> /// 4. Otherwise, assume credentials are specified in environment variables /// accessible to the hosting process and retrieve them from the following /// variables: /// <item><code>AWS_ACCESS_KEY_ID</code></item> /// <item><code>AWS_SECRET_ACCESS_KEY</code></item> /// <item><code></code>AWS_SESSION_TOKEN</code> (optional)</code></item> /// </item> /// </list> /// </remarks> public AWSCredentials ResolveCredentials() { AWSCredentials cr; if (!string.IsNullOrEmpty(AwsAccessKeyId)) { if (!string.IsNullOrEmpty(AwsSessionToken)) { cr = new SessionAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey, AwsSessionToken); } else { cr = new Amazon.Runtime.BasicAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey); } } else if (!string.IsNullOrEmpty(AwsProfileName)) { cr = new StoredProfileAWSCredentials(AwsProfileName, AwsProfileLocation); } else if (!string.IsNullOrEmpty(AwsIamRole)) { if (AwsIamRole == IAM_ROLE_ANY) cr = new InstanceProfileAWSCredentials(); else cr = new InstanceProfileAWSCredentials(AwsIamRole); } else { cr = new EnvironmentVariablesAWSCredentials(); } return cr; }
public virtual AmazonS3Client AppMode_CreateS3Client(Credentials credentials, RegionEndpoint regionEndpoint) { AmazonS3Client s3Client; var sessionCredentials = new SessionAWSCredentials( credentials.AccessKeyId, credentials.SecretAccessKey, credentials.SessionToken); s3Client = new AmazonS3Client(sessionCredentials, regionEndpoint); return s3Client; }
public virtual bool AppMode_TestSqsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials) { try { var sqsClient = new AmazonSQSClient(credentials, regionEndpoint); sqsClient.ListQueues(new ListQueuesRequest()); return true; } catch { return false; } }
public virtual bool AppMode_TestSnsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials) { try { var snsClient = new AmazonSimpleNotificationServiceClient(credentials, regionEndpoint); snsClient.ListTopics(new ListTopicsRequest()); return true; } catch { return false; } }
public virtual bool AppMode_TestIamAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials) { try { var iamClient = new AmazonIdentityManagementServiceClient(credentials, regionEndpoint); iamClient.ListUsers(new ListUsersRequest()); return true; } catch { return false; } }
/// <summary> /// Perform the AppMode operations by assuming the dev and prod roles, and checking for permissions. /// </summary> /// <param name="labVariables">The data.</param> public void AppMode_Run(LabVariables labVariables) { var credentials = new BasicAWSCredentials( ConfigurationManager.AppSettings["appModeAWSAccessKey"], ConfigurationManager.AppSettings["appModeAWSSecretKey"]); Credentials devCredentials = null, prodCredentials = null; using (var stsClient = new AmazonSecurityTokenServiceClient(credentials, RegionEndpoint)) { Console.WriteLine("Assuming developer role to retrieve developer session credentials."); devCredentials = LabCode.AppMode_AssumeRole(stsClient, labVariables.DevelopmentRoleArn, "dev_session"); if (devCredentials == null) { Console.WriteLine("No developer credentials returned. AccessDenied."); return; } Console.WriteLine("\nAssuming production role to retrieve production session credentials."); prodCredentials = LabCode.AppMode_AssumeRole(stsClient, labVariables.ProductionRoleArn, "prod_session"); if (prodCredentials == null) { Console.WriteLine("No production credentials returned. AccessDenied."); return; } } using (var devS3Client = LabCode.AppMode_CreateS3Client(devCredentials, RegionEndpoint)) { using (var prodS3Client = LabCode.AppMode_CreateS3Client(prodCredentials, RegionEndpoint)) { Console.WriteLine("\nTesting Developer Session..."); var devSession = new SessionAWSCredentials( devCredentials.AccessKeyId, devCredentials.SecretAccessKey, devCredentials.SessionToken); Console.WriteLine(" IAM: {0}", OptionalLabCode.AppMode_TestIamAccess(RegionEndpoint, devSession) ? "Accessible." : "Inaccessible."); Console.WriteLine(" SQS: {0}", OptionalLabCode.AppMode_TestSqsAccess(RegionEndpoint, devSession) ? "Accessible." : "Inaccessible."); Console.WriteLine(" SNS: {0}", OptionalLabCode.AppMode_TestSnsAccess(RegionEndpoint, devSession) ? "Accessible." : "Inaccessible."); Console.WriteLine(" S3:"); foreach (string bucketName in labVariables.BucketNames) { TestS3Client(devS3Client, bucketName); } Console.WriteLine("\nTesting Production Session..."); var prodSession = new SessionAWSCredentials( prodCredentials.AccessKeyId, prodCredentials.SecretAccessKey, prodCredentials.SessionToken); Console.WriteLine(" IAM: {0}", OptionalLabCode.AppMode_TestIamAccess(RegionEndpoint, prodSession) ? "Accessible." : "Inaccessible."); Console.WriteLine(" SQS: {0}", OptionalLabCode.AppMode_TestSqsAccess(RegionEndpoint, prodSession) ? "Accessible." : "Inaccessible."); Console.WriteLine(" SNS: {0}", OptionalLabCode.AppMode_TestSnsAccess(RegionEndpoint, prodSession) ? "Accessible." : "Inaccessible."); Console.WriteLine(" S3:"); foreach (string bucketName in labVariables.BucketNames) { TestS3Client(prodS3Client, bucketName); } } } }
/// <summary> /// Test access to the SQS service using the provided credentials by requesting a listing of the SQS queues. /// You are free to test in any way you like. Submit any sort of request and watch for an exception. /// </summary> /// <param name="regionEndpoint">The region endpoint to use for the client connection.</param> /// <param name="credentials">The credentials to use.</param> /// <returns>True, if the service is accessible. False, if the credentials are rejected.</returns> public override bool AppMode_TestSqsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials) { //TODO: Replace this call to the base class with your own method implementation. return base.AppMode_TestSqsAccess(regionEndpoint, credentials); }