Example 6 with AWSSecurityTokenServiceClient
use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project eureka by Netflix.
the class AwsAsgUtil method initializeStsSession.
private Credentials initializeStsSession(String asgAccount) {
AWSSecurityTokenService sts = new AWSSecurityTokenServiceClient(new InstanceProfileCredentialsProvider());
String region = clientConfig.getRegion();
if (!region.equals("us-east-1")) {
sts.setEndpoint("sts." + region + ".amazonaws.com");
}
String roleName = serverConfig.getListAutoScalingGroupsRoleName();
String roleArn = "arn:aws:iam::" + asgAccount + ":role/" + roleName;
AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest().withRoleArn(roleArn).withRoleSessionName("sts-session-" + asgAccount));
return assumeRoleResult.getCredentials();
}
Also used :
InstanceProfileCredentialsProvider(com.amazonaws.auth.InstanceProfileCredentialsProvider)
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
AWSSecurityTokenService(com.amazonaws.services.securitytoken.AWSSecurityTokenService)
Example 7 with AWSSecurityTokenServiceClient
use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project aws-doc-sdk-examples by awsdocs.
the class ConstructUrl method main.
public static void main(String[] args) {
/* Calls to AWS STS API operations must be signed using the access key ID
and secret access key of an IAM user or using existing temporary
credentials. The credentials should not be embedded in code. For
this example, the code looks for the credentials in a
standard configuration file.
*/
AWSCredentials credentials = new PropertiesCredentials(AwsConsoleApp.class.getResourceAsStream("AwsCredentials.properties"));
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(credentials);
GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest();
getFederationTokenRequest.setDurationSeconds(1800);
getFederationTokenRequest.setName("UserName");
// A sample policy for accessing Amazon Simple Notification Service (Amazon SNS) in the console.
String policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sns:*\"," + "\"Effect\":\"Allow\",\"Resource\":\"*\"}]}";
getFederationTokenRequest.setPolicy(policy);
GetFederationTokenResult federationTokenResult = stsClient.getFederationToken(getFederationTokenRequest);
Credentials federatedCredentials = federationTokenResult.getCredentials();
// The issuer parameter specifies your internal sign-in
// page, for example https://mysignin.internal.mycompany.com/.
// The console parameter specifies the URL to the destination console of the
// AWS Management Console. This example goes to Amazon SNS.
// The signin parameter is the URL to send the request to.
String issuerURL = "https://mysignin.internal.mycompany.com/";
String consoleURL = "https://console.aws.amazon.com/sns";
String signInURL = "https://signin.aws.amazon.com/federation";
// Create the sign-in token using temporary credentials,
// including the access key ID, secret access key, and security token.
String sessionJson = String.format("{\"%1$s\":\"%2$s\",\"%3$s\":\"%4$s\",\"%5$s\":\"%6$s\"}", "sessionId", federatedCredentials.getAccessKeyId(), "sessionKey", federatedCredentials.getSecretAccessKey(), "sessionToken", federatedCredentials.getSessionToken());
// Construct the sign-in request with the request sign-in token action, a
// 12-hour console session duration, and the JSON document with temporary
// credentials as parameters.
String getSigninTokenURL = signInURL + "?Action=getSigninToken" + "&DurationSeconds=43200" + "&SessionType=json&Session=" + URLEncoder.encode(sessionJson, "UTF-8");
URL url = new URL(getSigninTokenURL);
// Send the request to the AWS federation endpoint to get the sign-in token
URLConnection conn = url.openConnection();
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String returnContent = bufferReader.readLine();
String signinToken = new JSONObject(returnContent).getString("SigninToken");
String signinTokenParameter = "&SigninToken=" + URLEncoder.encode(signinToken, "UTF-8");
// The issuer parameter is optional, but recommended. Use it to direct users
// to your sign-in page when their session expires.
String issuerParameter = "&Issuer=" + URLEncoder.encode(issuerURL, "UTF-8");
// Finally, present the completed URL for the AWS console session to the user
String destinationParameter = "&Destination=" + URLEncoder.encode(consoleURL, "UTF-8");
String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuerParameter + destinationParameter;
}
Also used :
InputStreamReader(java.io.InputStreamReader)
GetFederationTokenRequest(com.amazonaws.services.securitytoken.model.GetFederationTokenRequest)
BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials)
AWSCredentials(com.amazonaws.auth.AWSCredentials)
URL(java.net.URL)
URLConnection(java.net.URLConnection)
JSONObject(org.json.JSONObject)
GetFederationTokenResult(com.amazonaws.services.securitytoken.model.GetFederationTokenResult)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
BufferedReader(java.io.BufferedReader)
BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials)
Credentials(com.amazonaws.services.securitytoken.model.Credentials)
AWSCredentials(com.amazonaws.auth.AWSCredentials)
Example 8 with AWSSecurityTokenServiceClient
use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project athenz by yahoo.
the class InstanceAWSProviderTest method testVerifyInstanceIdentityNullIdentity.
@Test
public void testVerifyInstanceIdentityNullIdentity() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(null);
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
assertFalse(provider.verifyInstanceIdentity(info, "1234"));
}
Also used :
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
Test(org.testng.annotations.Test)
Example 9 with AWSSecurityTokenServiceClient
use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project athenz by yahoo.
the class InstanceAWSProviderTest method testVerifyInstanceIdentity.
@Test
public void testVerifyInstanceIdentity() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
GetCallerIdentityResult result = Mockito.mock(GetCallerIdentityResult.class);
Mockito.when(result.getArn()).thenReturn("arn:aws:sts::1234:assumed-role/athenz.service/athenz.service");
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(result);
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
info.setRole("athenz.service");
assertTrue(provider.verifyInstanceIdentity(info, "1234"));
}
Also used :
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
Test(org.testng.annotations.Test)
Example 10 with AWSSecurityTokenServiceClient
use of com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient in project athenz by yahoo.
the class InstanceAWSProviderTest method testVerifyInstanceIdentityException.
@Test
public void testVerifyInstanceIdentityException() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenThrow(new ResourceException(101, "invaliderror"));
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
assertFalse(provider.verifyInstanceIdentity(info, "1234"));
}
Also used :
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
ResourceException(com.yahoo.athenz.instance.provider.ResourceException)
Test(org.testng.annotations.Test)
Aggregations
AWSSecurityTokenServiceClient (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)15
AssumeRoleRequest (com.amazonaws.services.securitytoken.model.AssumeRoleRequest)6
AssumeRoleResult (com.amazonaws.services.securitytoken.model.AssumeRoleResult)5
Test (org.testng.annotations.Test)4
ClientConfiguration (com.amazonaws.ClientConfiguration)3
Credentials (com.amazonaws.services.securitytoken.model.Credentials)3
AWSCredentials (com.amazonaws.auth.AWSCredentials)2
AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)2
BasicSessionCredentials (com.amazonaws.auth.BasicSessionCredentials)2
InstanceProfileCredentialsProvider (com.amazonaws.auth.InstanceProfileCredentialsProvider)2
AWSSecurityTokenService (com.amazonaws.services.securitytoken.AWSSecurityTokenService)2
GetCallerIdentityResult (com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)2
AmazonServiceException (com.amazonaws.AmazonServiceException)1
BasicAWSCredentials (com.amazonaws.auth.BasicAWSCredentials)1
STSAssumeRoleSessionCredentialsProvider (com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider)1
AmazonS3Client (com.amazonaws.services.s3.AmazonS3Client)1
GetCallerIdentityRequest (com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)1
GetFederationTokenRequest (com.amazonaws.services.securitytoken.model.GetFederationTokenRequest)1
GetFederationTokenResult (com.amazonaws.services.securitytoken.model.GetFederationTokenResult)1
GetSessionTokenRequest (com.amazonaws.services.securitytoken.model.GetSessionTokenRequest)1
