Example 36 with AssumeRoleRequest
use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project ice by Netflix.
the class AwsUtils method getAssumedCredentials.
/**
* Get assumes IAM credentials.
* @param accountId
* @param assumeRole
* @return assumes IAM credentials
*/
public static Credentials getAssumedCredentials(String accountId, String assumeRole, String externalId) {
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn("arn:aws:iam::" + accountId + ":role/" + assumeRole).withRoleSessionName(assumeRole.substring(0, Math.min(assumeRole.length(), 32)));
if (!StringUtils.isEmpty(externalId))
assumeRoleRequest.setExternalId(externalId);
AssumeRoleResult roleResult = securityClient.assumeRole(assumeRoleRequest);
return roleResult.getCredentials();
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
Example 37 with AssumeRoleRequest
use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project herd by FINRAOS.
the class StsDaoTest method testGetTemporarySecurityCredentials.
@Test
public void testGetTemporarySecurityCredentials() {
// Create an AWS parameters DTO with proxy settings.
AwsParamsDto awsParamsDto = new AwsParamsDto();
awsParamsDto.setHttpProxyHost(HTTP_PROXY_HOST);
awsParamsDto.setHttpProxyPort(HTTP_PROXY_PORT);
awsParamsDto.setAwsRegionName(AWS_REGION_NAME);
// Build AWS client configuration.
ClientConfiguration clientConfiguration = new ClientConfiguration();
// Specify the duration, in seconds, of the role session.
int awsRoleDurationSeconds = INTEGER_VALUE;
// Create an IAM policy.
Policy policy = new Policy(STRING_VALUE);
// Create the expected assume role request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(AWS_ROLE_ARN).withRoleSessionName(SESSION_NAME).withPolicy(policy.toJson()).withDurationSeconds(awsRoleDurationSeconds);
// Create AWS credentials for API authentication.
Credentials credentials = new Credentials();
credentials.setAccessKeyId(AWS_ASSUMED_ROLE_ACCESS_KEY);
credentials.setSecretAccessKey(AWS_ASSUMED_ROLE_SECRET_KEY);
credentials.setSessionToken(AWS_ASSUMED_ROLE_SESSION_TOKEN);
// Create an assume role result.
AssumeRoleResult assumeRoleResult = new AssumeRoleResult();
assumeRoleResult.setCredentials(credentials);
// Mock the external calls.
when(awsHelper.getClientConfiguration(awsParamsDto)).thenReturn(clientConfiguration);
when(stsOperations.assumeRole(any(AWSSecurityTokenServiceClient.class), eq(assumeRoleRequest))).thenReturn(assumeRoleResult);
// Call the method under test.
Credentials result = stsDaoImpl.getTemporarySecurityCredentials(awsParamsDto, SESSION_NAME, AWS_ROLE_ARN, awsRoleDurationSeconds, policy);
// Verify the external calls.
verify(awsHelper).getClientConfiguration(awsParamsDto);
verify(stsOperations).assumeRole(any(AWSSecurityTokenServiceClient.class), eq(assumeRoleRequest));
verifyNoMoreInteractionsHelper();
// Validate the returned object.
assertEquals(credentials, result);
}
Also used :
Policy(com.amazonaws.auth.policy.Policy)
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AwsParamsDto(org.finra.herd.model.dto.AwsParamsDto)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
ClientConfiguration(com.amazonaws.ClientConfiguration)
Credentials(com.amazonaws.services.securitytoken.model.Credentials)
Test(org.junit.Test)
Example 38 with AssumeRoleRequest
use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project cloudbreak by hortonworks.
the class AwsSessionCredentialClient method retrieveSessionCredentialsWithoutExternalId.
public AwsSessionCredentials retrieveSessionCredentialsWithoutExternalId(AwsCredentialView awsCredential) {
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(DEFAULT_SESSION_CREDENTIALS_DURATION).withRoleArn(awsCredential.getRoleArn()).withRoleSessionName(roleSessionName);
LOGGER.debug("Trying to assume role with role arn {} and without external ID", awsCredential.getRoleArn());
return getAwsSessionCredentialsAndAssumeRole(awsCredential, assumeRoleRequest);
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
Example 39 with AssumeRoleRequest
use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project athenz by AthenZ.
the class CloudStoreTest method testGetAssumeRoleRequest.
@Test
public void testGetAssumeRoleRequest() {
CloudStore store = new CloudStore();
AssumeRoleRequest req = store.getAssumeRoleRequest("1234", "admin", null, null);
assertEquals("arn:aws:iam::1234:role/admin", req.getRoleArn());
assertEquals("athenz-zts-service", req.getRoleSessionName());
assertNull(req.getDurationSeconds());
assertNull(req.getExternalId());
req = store.getAssumeRoleRequest("12345", "adminuser", 101, "external");
assertEquals("arn:aws:iam::12345:role/adminuser", req.getRoleArn());
assertEquals("athenz-zts-service", req.getRoleSessionName());
assertEquals(Integer.valueOf(101), req.getDurationSeconds());
assertEquals("external", req.getExternalId());
store.close();
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
Test(org.testng.annotations.Test)
Example 40 with AssumeRoleRequest
use of com.amazonaws.services.securitytoken.model.AssumeRoleRequest in project athenz by AthenZ.
the class CloudStore method assumeAWSRole.
public AWSTemporaryCredentials assumeAWSRole(String account, String roleName, String principal, Integer durationSeconds, String externalId, StringBuilder errorMessage) {
if (!awsEnabled) {
throw new ResourceException(ResourceException.INTERNAL_SERVER_ERROR, "AWS Support not enabled");
}
// first check to see if we already have the temp creds cached
final String cacheKey = getCacheKey(account, roleName, principal, durationSeconds, externalId);
AWSTemporaryCredentials tempCreds = getCachedCreds(cacheKey, durationSeconds);
if (tempCreds != null) {
return tempCreds;
}
if (isFailedTempCredsRequest(cacheKey)) {
errorMessage.append("Cached invalid request. Retry operation after ").append(invalidCacheTimeout).append(" seconds.");
return null;
}
AssumeRoleRequest req = getAssumeRoleRequest(account, roleName, durationSeconds, externalId);
try {
AWSSecurityTokenService client = getTokenServiceClient();
AssumeRoleResult res = client.assumeRole(req);
Credentials awsCreds = res.getCredentials();
tempCreds = new AWSTemporaryCredentials().setAccessKeyId(awsCreds.getAccessKeyId()).setSecretAccessKey(awsCreds.getSecretAccessKey()).setSessionToken(awsCreds.getSessionToken()).setExpiration(Timestamp.fromMillis(awsCreds.getExpiration().getTime()));
} catch (AmazonServiceException ex) {
LOGGER.error("CloudStore: assumeAWSRole - unable to assume role: {}, error: {}, status code: {}", req.getRoleArn(), ex.getMessage(), ex.getStatusCode());
if (ex.getStatusCode() == ResourceException.FORBIDDEN) {
putInvalidCacheCreds(cacheKey);
}
errorMessage.append(ex.getErrorMessage());
return null;
} catch (Exception ex) {
LOGGER.error("CloudStore: assumeAWSRole - unable to assume role: {}, error: {}", req.getRoleArn(), ex.getMessage());
errorMessage.append(ex.getMessage());
return null;
}
putCacheCreds(cacheKey, tempCreds);
return tempCreds;
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AmazonServiceException(com.amazonaws.AmazonServiceException)
ResourceException(com.yahoo.athenz.zts.ResourceException)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
AWSTemporaryCredentials(com.yahoo.athenz.zts.AWSTemporaryCredentials)
AWSSecurityTokenService(com.amazonaws.services.securitytoken.AWSSecurityTokenService)
BasicSessionCredentials(com.amazonaws.auth.BasicSessionCredentials)
Credentials(com.amazonaws.services.securitytoken.model.Credentials)
AWSTemporaryCredentials(com.yahoo.athenz.zts.AWSTemporaryCredentials)
TimeoutException(java.util.concurrent.TimeoutException)
ResourceException(com.yahoo.athenz.zts.ResourceException)
AmazonServiceException(com.amazonaws.AmazonServiceException)
ExecutionException(java.util.concurrent.ExecutionException)
Aggregations
AssumeRoleRequest (com.amazonaws.services.securitytoken.model.AssumeRoleRequest)53
AssumeRoleResult (com.amazonaws.services.securitytoken.model.AssumeRoleResult)42
BasicSessionCredentials (com.amazonaws.auth.BasicSessionCredentials)30
AWSSecurityTokenService (com.amazonaws.services.securitytoken.AWSSecurityTokenService)28
Regions (com.amazonaws.regions.Regions)13
AWSStaticCredentialsProvider (com.amazonaws.auth.AWSStaticCredentialsProvider)11
BasicAWSCredentials (com.amazonaws.auth.BasicAWSCredentials)11
Credentials (com.amazonaws.services.securitytoken.model.Credentials)11
AWSCredentials (com.amazonaws.auth.AWSCredentials)10
AmazonDynamoDBClient (com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient)10
AWSSecurityTokenServiceClientBuilder (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder)8
AWSSecurityTokenServiceClient (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)7
AutomationException (exceptions.AutomationException)7
ClientConfiguration (com.amazonaws.ClientConfiguration)6
AmazonServiceException (com.amazonaws.AmazonServiceException)4
AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)4
DeleteItemSpec (com.amazonaws.services.dynamodbv2.document.spec.DeleteItemSpec)3
AWSSessionCredentials (com.amazonaws.auth.AWSSessionCredentials)2
AnonymousAWSCredentials (com.amazonaws.auth.AnonymousAWSCredentials)2
ValueMap (com.amazonaws.services.dynamodbv2.document.utils.ValueMap)2
