Examples with AssumeRoleRequest com.amazonaws.services.securitytoken.model.AssumeRoleRequest used on opensource projects

Search in sources :

Example 6 with AssumeRoleRequest

use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project athenz by yahoo.

the class CloudStoreTest method testGetAssumeRoleRequest.

@Test
public void testGetAssumeRoleRequest() {
    CloudStore store = new CloudStore();
    AssumeRoleRequest req = store.getAssumeRoleRequest("1234", "admin", null, null);
    assertEquals("arn:aws:iam::1234:role/admin", req.getRoleArn());
    assertEquals("athenz-zts-service", req.getRoleSessionName());
    assertNull(req.getDurationSeconds());
    assertNull(req.getExternalId());
    req = store.getAssumeRoleRequest("12345", "adminuser", 101, "external");
    assertEquals("arn:aws:iam::12345:role/adminuser", req.getRoleArn());
    assertEquals("athenz-zts-service", req.getRoleSessionName());
    assertEquals(Integer.valueOf(101), req.getDurationSeconds());
    assertEquals("external", req.getExternalId());
    store.close();
}
Also used : AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest) Test(org.testng.annotations.Test)

Example 7 with AssumeRoleRequest

use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project athenz by yahoo.

the class CloudStore method getAssumeRoleRequest.

AssumeRoleRequest getAssumeRoleRequest(String account, String roleName, Integer durationSeconds, String externalId) {
    // assume the target role to get the credentials for the client
    // aws format is arn:aws:iam::<account-id>:role/<role-name>
    final String arn = "arn:aws:iam::" + account + ":role/" + roleName;
    AssumeRoleRequest req = new AssumeRoleRequest();
    req.setRoleArn(arn);
    // for role session name AWS has a limit on length: 64
    // so we need to make sure our session is shorter than that
    req.setRoleSessionName(AWS_ROLE_SESSION_NAME);
    if (durationSeconds != null && durationSeconds > 0) {
        req.setDurationSeconds(durationSeconds);
    }
    if (externalId != null && !externalId.isEmpty()) {
        req.setExternalId(externalId);
    }
    return req;
}
Also used : AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)

Example 8 with AssumeRoleRequest

use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project athenz by yahoo.

the class CloudStore method assumeAWSRole.

public AWSTemporaryCredentials assumeAWSRole(String account, String roleName, String principal, Integer durationSeconds, String externalId, StringBuilder errorMessage) {
    if (!awsEnabled) {
        throw new ResourceException(ResourceException.INTERNAL_SERVER_ERROR, "AWS Support not enabled");
    }
    // first check to see if we already have the temp creds cached
    final String cacheKey = getCacheKey(account, roleName, principal, durationSeconds, externalId);
    AWSTemporaryCredentials tempCreds = getCachedCreds(cacheKey, durationSeconds);
    if (tempCreds != null) {
        return tempCreds;
    }
    if (isFailedTempCredsRequest(cacheKey)) {
        errorMessage.append("Cached invalid request. Retry operation after ").append(invalidCacheTimeout).append(" seconds.");
        return null;
    }
    AssumeRoleRequest req = getAssumeRoleRequest(account, roleName, durationSeconds, externalId);
    try {
        AWSSecurityTokenService client = getTokenServiceClient();
        AssumeRoleResult res = client.assumeRole(req);
        Credentials awsCreds = res.getCredentials();
        tempCreds = new AWSTemporaryCredentials().setAccessKeyId(awsCreds.getAccessKeyId()).setSecretAccessKey(awsCreds.getSecretAccessKey()).setSessionToken(awsCreds.getSessionToken()).setExpiration(Timestamp.fromMillis(awsCreds.getExpiration().getTime()));
    } catch (AmazonServiceException ex) {
        LOGGER.error("CloudStore: assumeAWSRole - unable to assume role: {}, error: {}, status code: {}", req.getRoleArn(), ex.getMessage(), ex.getStatusCode());
        if (ex.getStatusCode() == ResourceException.FORBIDDEN) {
            putInvalidCacheCreds(cacheKey);
        }
        errorMessage.append(ex.getErrorMessage());
        return null;
    } catch (Exception ex) {
        LOGGER.error("CloudStore: assumeAWSRole - unable to assume role: {}, error: {}", req.getRoleArn(), ex.getMessage());
        errorMessage.append(ex.getMessage());
        return null;
    }
    putCacheCreds(cacheKey, tempCreds);
    return tempCreds;
}
Also used : AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest) AmazonServiceException(com.amazonaws.AmazonServiceException) ResourceException(com.yahoo.athenz.zts.ResourceException) AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult) AWSTemporaryCredentials(com.yahoo.athenz.zts.AWSTemporaryCredentials) AWSSecurityTokenService(com.amazonaws.services.securitytoken.AWSSecurityTokenService) BasicSessionCredentials(com.amazonaws.auth.BasicSessionCredentials) Credentials(com.amazonaws.services.securitytoken.model.Credentials) AWSTemporaryCredentials(com.yahoo.athenz.zts.AWSTemporaryCredentials) TimeoutException(java.util.concurrent.TimeoutException) ResourceException(com.yahoo.athenz.zts.ResourceException) AmazonServiceException(com.amazonaws.AmazonServiceException) ExecutionException(java.util.concurrent.ExecutionException)

Example 9 with AssumeRoleRequest

use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project photon-model by vmware.

the class AWSUtils method getArnSessionCredentialsAsync.

/**
 * Authenticates and returns a DeferredResult set of session credentials for a valid ARN that
 * authorizes this system's account ID (validated through
 * {@link #AWS_MASTER_ACCOUNT_ACCESS_KEY_PROPERTY} and
 * {@link #AWS_MASTER_ACCOUNT_SECRET_KEY_PROPERTY}) and the externalId parameter.
 *
 * If the system properties are unset, then this call will automatically fail.
 *
 * @param arn The Amazon Resource Name to validate.
 * @param externalId The external ID this ARN has authorized.
 * @param region The region to validate within.
 * @param executorService The executor service to issue the request.
 */
public static DeferredResult<Credentials> getArnSessionCredentialsAsync(String arn, String externalId, String region, ExecutorService executorService) {
    AWSCredentialsProvider serviceAwsCredentials;
    try {
        serviceAwsCredentials = new AWSStaticCredentialsProvider(new BasicAWSCredentials(AWS_MASTER_ACCOUNT_ACCESS_KEY, AWS_MASTER_ACCOUNT_SECRET_KEY));
    } catch (Throwable t) {
        return DeferredResult.failed(t);
    }
    AWSSecurityTokenServiceAsync awsSecurityTokenServiceAsync = AWSSecurityTokenServiceAsyncClientBuilder.standard().withRegion(region).withCredentials(serviceAwsCredentials).withExecutorFactory(() -> executorService).build();
    AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(arn).withRoleSessionName(UUID.randomUUID().toString()).withDurationSeconds(getArnSessionDurationSeconds()).withExternalId(externalId);
    DeferredResult<AssumeRoleResult> r = new DeferredResult<>();
    OperationContext operationContext = OperationContext.getOperationContext();
    awsSecurityTokenServiceAsync.assumeRoleAsync(assumeRoleRequest, new AsyncHandler<AssumeRoleRequest, AssumeRoleResult>() {

        @Override
        public void onSuccess(AssumeRoleRequest request, AssumeRoleResult result) {
            OperationContext.restoreOperationContext(operationContext);
            r.complete(result);
        }

        @Override
        public void onError(Exception ex) {
            OperationContext.restoreOperationContext(operationContext);
            r.fail(ex);
        }
    });
    return r.thenApply(AssumeRoleResult::getCredentials);
}
Also used : OperationContext(com.vmware.xenon.common.OperationContext) AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest) AWSSecurityTokenServiceAsync(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsync) AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult) BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials) AWSSecurityTokenServiceException(com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException) AmazonServiceException(com.amazonaws.AmazonServiceException) AmazonClientException(com.amazonaws.AmazonClientException) AmazonEC2Exception(com.amazonaws.services.ec2.model.AmazonEC2Exception) AWSStaticCredentialsProvider(com.amazonaws.auth.AWSStaticCredentialsProvider) AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider) DeferredResult(com.vmware.xenon.common.DeferredResult)

Example 10 with AssumeRoleRequest

use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project cloudbreak by hortonworks.

the class AwsSessionCredentialClient method retrieveSessionCredentials.

public BasicSessionCredentials retrieveSessionCredentials(AwsCredentialView awsCredential) {
    LOGGER.debug("retrieving session credential");
    AWSSecurityTokenServiceClient client = awsSecurityTokenServiceClient();
    AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(DEFAULT_SESSION_CREDENTIALS_DURATION).withExternalId(externalId).withRoleArn(awsCredential.getRoleArn()).withRoleSessionName("hadoop-provisioning");
    AssumeRoleResult result = client.assumeRole(assumeRoleRequest);
    return new BasicSessionCredentials(result.getCredentials().getAccessKeyId(), result.getCredentials().getSecretAccessKey(), result.getCredentials().getSessionToken());
}
Also used : AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest) BasicSessionCredentials(com.amazonaws.auth.BasicSessionCredentials) AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient) AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)

Aggregations

AssumeRoleRequest (com.amazonaws.services.securitytoken.model.AssumeRoleRequest)32 AssumeRoleResult (com.amazonaws.services.securitytoken.model.AssumeRoleResult)21 Credentials (com.amazonaws.services.securitytoken.model.Credentials)11 BasicSessionCredentials (com.amazonaws.auth.BasicSessionCredentials)10 AWSSecurityTokenService (com.amazonaws.services.securitytoken.AWSSecurityTokenService)8 AWSSecurityTokenServiceClient (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)6 AmazonServiceException (com.amazonaws.AmazonServiceException)4 AWSStaticCredentialsProvider (com.amazonaws.auth.AWSStaticCredentialsProvider)4 Test (org.testng.annotations.Test)4 ClientConfiguration (com.amazonaws.ClientConfiguration)3 AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)3 BasicAWSCredentials (com.amazonaws.auth.BasicAWSCredentials)3 AWSSecurityTokenServiceException (com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException)3 AWSCredentials (com.amazonaws.auth.AWSCredentials)2 AWSSessionCredentials (com.amazonaws.auth.AWSSessionCredentials)2 AWSSecurityTokenServiceAsync (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsync)2 AWSTemporaryCredentials (com.yahoo.athenz.zts.AWSTemporaryCredentials)2 ResourceException (com.yahoo.athenz.zts.ResourceException)2 ExecutionException (java.util.concurrent.ExecutionException)2 TimeoutException (java.util.concurrent.TimeoutException)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial