Examples with AWSSecurityTokenServiceClient com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient used on opensource projects

Example 1 with AWSSecurityTokenServiceClient

use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project hadoop by apache.

the class ITestS3ATemporaryCredentials method testSTS.

/**
   * Test use of STS for requesting temporary credentials.
   *
   * The property test.sts.endpoint can be set to point this at different
   * STS endpoints. This test will use the AWS credentials (if provided) for
   * S3A tests to request temporary credentials, then attempt to use those
   * credentials instead.
   *
   * @throws IOException
   */
@Test
public void testSTS() throws IOException {
    Configuration conf = getContract().getConf();
    if (!conf.getBoolean(TEST_STS_ENABLED, true)) {
        skip("STS functional tests disabled");
    }
    S3xLoginHelper.Login login = S3AUtils.getAWSAccessKeys(URI.create("s3a://foobar"), conf);
    if (!login.hasLogin()) {
        skip("testSTS disabled because AWS credentials not configured");
    }
    AWSCredentialsProvider parentCredentials = new BasicAWSCredentialsProvider(login.getUser(), login.getPassword());
    String stsEndpoint = conf.getTrimmed(TEST_STS_ENDPOINT, "");
    AWSSecurityTokenServiceClient stsClient;
    stsClient = new AWSSecurityTokenServiceClient(parentCredentials);
    if (!stsEndpoint.isEmpty()) {
        LOG.debug("STS Endpoint ={}", stsEndpoint);
        stsClient.setEndpoint(stsEndpoint);
    }
    GetSessionTokenRequest sessionTokenRequest = new GetSessionTokenRequest();
    sessionTokenRequest.setDurationSeconds(900);
    GetSessionTokenResult sessionTokenResult;
    sessionTokenResult = stsClient.getSessionToken(sessionTokenRequest);
    Credentials sessionCreds = sessionTokenResult.getCredentials();
    String childAccessKey = sessionCreds.getAccessKeyId();
    conf.set(ACCESS_KEY, childAccessKey);
    String childSecretKey = sessionCreds.getSecretAccessKey();
    conf.set(SECRET_KEY, childSecretKey);
    String sessionToken = sessionCreds.getSessionToken();
    conf.set(SESSION_TOKEN, sessionToken);
    conf.set(AWS_CREDENTIALS_PROVIDER, PROVIDER_CLASS);
    try (S3AFileSystem fs = S3ATestUtils.createTestFileSystem(conf)) {
        createAndVerifyFile(fs, path("testSTS"), TEST_FILE_SIZE);
    }
    // now create an invalid set of credentials by changing the session
    // token
    conf.set(SESSION_TOKEN, "invalid-" + sessionToken);
    try (S3AFileSystem fs = S3ATestUtils.createTestFileSystem(conf)) {
        createAndVerifyFile(fs, path("testSTSInvalidToken"), TEST_FILE_SIZE);
        fail("Expected an access exception, but file access to " + fs.getUri() + " was allowed: " + fs);
    } catch (AWSS3IOException ex) {
        LOG.info("Expected Exception: {}", ex.toString());
        LOG.debug("Expected Exception: {}", ex, ex);
    }
}

Example 2 with AWSSecurityTokenServiceClient

use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project nifi by apache.

the class AssumeRoleCredentialsStrategy method getDerivedCredentialsProvider.

@Override
public AWSCredentialsProvider getDerivedCredentialsProvider(Map<PropertyDescriptor, String> properties, AWSCredentialsProvider primaryCredentialsProvider) {
    final String assumeRoleArn = properties.get(ASSUME_ROLE_ARN);
    final String assumeRoleName = properties.get(ASSUME_ROLE_NAME);
    String rawMaxSessionTime = properties.get(MAX_SESSION_TIME);
    rawMaxSessionTime = (rawMaxSessionTime != null) ? rawMaxSessionTime : MAX_SESSION_TIME.getDefaultValue();
    final Integer maxSessionTime = Integer.parseInt(rawMaxSessionTime.trim());
    final String assumeRoleExternalId = properties.get(ASSUME_ROLE_EXTERNAL_ID);
    STSAssumeRoleSessionCredentialsProvider.Builder builder;
    ClientConfiguration config = new ClientConfiguration();
    // If proxy variables are set, then create Client Configuration with those values
    if (proxyVariablesValidForAssumeRole(properties)) {
        final String assumeRoleProxyHost = properties.get(ASSUME_ROLE_PROXY_HOST);
        final Integer assumeRoleProxyPort = Integer.parseInt(properties.get(ASSUME_ROLE_PROXY_PORT));
        config.withProxyHost(assumeRoleProxyHost);
        config.withProxyPort(assumeRoleProxyPort);
    }
    AWSSecurityTokenService securityTokenService = new AWSSecurityTokenServiceClient(primaryCredentialsProvider, config);
    builder = new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRoleArn, assumeRoleName).withStsClient(securityTokenService).withRoleSessionDurationSeconds(maxSessionTime);
    if (assumeRoleExternalId != null && !assumeRoleExternalId.isEmpty()) {
        builder = builder.withExternalId(assumeRoleExternalId);
    }
    final AWSCredentialsProvider credsProvider = builder.build();
    return credsProvider;
}

Example 3 with AWSSecurityTokenServiceClient

use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project athenz by yahoo.

the class ZTSClient method assumeAWSRole.

Credentials assumeAWSRole(String account, String roleName) {
    try {
        AssumeRoleRequest req = getAssumeRoleRequest(account, roleName);
        AWSSecurityTokenServiceClient client = new AWSSecurityTokenServiceClient();
        AssumeRoleResult res = client.assumeRole(req);
        return res.getCredentials();
    } catch (Exception ex) {
        LOG.error("assumeAWSRole - unable to assume role: " + ex.getMessage());
        return null;
    }
}

Example 4 with AWSSecurityTokenServiceClient

use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project herd by FINRAOS.

the class StsDaoImpl method getTemporarySecurityCredentials.

/**
 * Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that can be used to access
 * the specified AWS resource.
 *
 * @param sessionName the session name that will be associated with the temporary credentials. The session name must be the same for an initial set of
 * credentials and an extended set of credentials if credentials are to be refreshed. The session name also is used to identify the user in AWS logs so it
 * should be something unique and useful to identify the caller/use.
 * @param awsRoleArn the AWS ARN for the role required to provide access to the specified AWS resource
 * @param awsRoleDurationSeconds the duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour).
 * @param policy the temporary policy to apply to this request
 *
 * @return the assumed session credentials
 */
@Override
public Credentials getTemporarySecurityCredentials(AwsParamsDto awsParamsDto, String sessionName, String awsRoleArn, int awsRoleDurationSeconds, Policy policy) {
    // Construct a new AWS security token service client using the specified client configuration to access Amazon S3.
    // A credentials provider chain will be used that searches for credentials in this order:
    // - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
    // - Java System Properties - aws.accessKeyId and aws.secretKey
    // - Instance Profile Credentials - delivered through the Amazon EC2 metadata service
    ClientConfiguration clientConfiguration = new ClientConfiguration().withRetryPolicy(retryPolicyFactory.getRetryPolicy());
    // Only set the proxy hostname and/or port if they're configured.
    if (StringUtils.isNotBlank(awsParamsDto.getHttpProxyHost())) {
        clientConfiguration.setProxyHost(awsParamsDto.getHttpProxyHost());
    }
    if (awsParamsDto.getHttpProxyPort() != null) {
        clientConfiguration.setProxyPort(awsParamsDto.getHttpProxyPort());
    }
    AWSSecurityTokenServiceClient awsSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(clientConfiguration);
    // Create the request.
    AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
    assumeRoleRequest.setRoleSessionName(sessionName);
    assumeRoleRequest.setRoleArn(awsRoleArn);
    assumeRoleRequest.setDurationSeconds(awsRoleDurationSeconds);
    if (policy != null) {
        assumeRoleRequest.setPolicy(policy.toJson());
    }
    // Get the temporary security credentials.
    AssumeRoleResult assumeRoleResult = stsOperations.assumeRole(awsSecurityTokenServiceClient, assumeRoleRequest);
    return assumeRoleResult.getCredentials();
}

Example 5 with AWSSecurityTokenServiceClient

use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project cloudbreak by hortonworks.

the class AwsSessionCredentialClient method retrieveSessionCredentials.

public BasicSessionCredentials retrieveSessionCredentials(AwsCredentialView awsCredential) {
    LOGGER.debug("retrieving session credential");
    AWSSecurityTokenServiceClient client = awsSecurityTokenServiceClient();
    AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(DEFAULT_SESSION_CREDENTIALS_DURATION).withExternalId(externalId).withRoleArn(awsCredential.getRoleArn()).withRoleSessionName("hadoop-provisioning");
    AssumeRoleResult result = client.assumeRole(assumeRoleRequest);
    return new BasicSessionCredentials(result.getCredentials().getAccessKeyId(), result.getCredentials().getSecretAccessKey(), result.getCredentials().getSessionToken());
}