Example 1 with AssumeRoleResult
use of com.amazonaws.services.securitytoken.model.AssumeRoleResult in project athenz by yahoo.
the class ZTSClient method assumeAWSRole.
Credentials assumeAWSRole(String account, String roleName) {
try {
AssumeRoleRequest req = getAssumeRoleRequest(account, roleName);
AWSSecurityTokenServiceClient client = new AWSSecurityTokenServiceClient();
AssumeRoleResult res = client.assumeRole(req);
return res.getCredentials();
} catch (Exception ex) {
LOG.error("assumeAWSRole - unable to assume role: " + ex.getMessage());
return null;
}
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
CertificateParsingException(java.security.cert.CertificateParsingException)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
IOException(java.io.IOException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException)
Example 2 with AssumeRoleResult
use of com.amazonaws.services.securitytoken.model.AssumeRoleResult in project herd by FINRAOS.
the class MockStsOperationsImpl method assumeRole.
@Override
public AssumeRoleResult assumeRole(AWSSecurityTokenServiceClient awsSecurityTokenServiceClient, AssumeRoleRequest assumeRoleRequest) {
assertNotNull(assumeRoleRequest);
if (assumeRoleRequest.getPolicy() != null && assumeRoleRequest.getPolicy().equals(MockAwsOperationsHelper.AMAZON_THROTTLING_EXCEPTION)) {
AmazonServiceException throttlingException = new AmazonServiceException("test throttling exception");
throttlingException.setErrorCode("ThrottlingException");
throw throttlingException;
}
AssumeRoleResult assumeRoleResult = new AssumeRoleResult();
assumeRoleResult.setCredentials(new Credentials(MOCK_AWS_ASSUMED_ROLE_ACCESS_KEY, MOCK_AWS_ASSUMED_ROLE_SECRET_KEY, MOCK_AWS_ASSUMED_ROLE_SESSION_TOKEN, new Date(System.currentTimeMillis() + 1000 * assumeRoleRequest.getDurationSeconds())));
return assumeRoleResult;
}
Also used :
AmazonServiceException(com.amazonaws.AmazonServiceException)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
Credentials(com.amazonaws.services.securitytoken.model.Credentials)
Date(java.util.Date)
Example 3 with AssumeRoleResult
use of com.amazonaws.services.securitytoken.model.AssumeRoleResult in project herd by FINRAOS.
the class StsDaoTest method testGetTemporarySecurityCredentialsMissingOptionalParameters.
@Test
public void testGetTemporarySecurityCredentialsMissingOptionalParameters() {
// Create an AWS parameters DTO without proxy settings.
AwsParamsDto awsParamsDto = new AwsParamsDto();
// Specify the duration, in seconds, of the role session.
int awsRoleDurationSeconds = INTEGER_VALUE;
// Create a retry policy.
RetryPolicy retryPolicy = new RetryPolicy(PredefinedRetryPolicies.DEFAULT_RETRY_CONDITION, PredefinedRetryPolicies.DEFAULT_BACKOFF_STRATEGY, INTEGER_VALUE, true);
// Create the expected assume role request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(AWS_ROLE_ARN).withRoleSessionName(SESSION_NAME).withDurationSeconds(awsRoleDurationSeconds);
// Create AWS credentials for API authentication.
Credentials credentials = new Credentials();
credentials.setAccessKeyId(AWS_ASSUMED_ROLE_ACCESS_KEY);
credentials.setSecretAccessKey(AWS_ASSUMED_ROLE_SECRET_KEY);
credentials.setSessionToken(AWS_ASSUMED_ROLE_SESSION_TOKEN);
// Create an assume role result.
AssumeRoleResult assumeRoleResult = new AssumeRoleResult();
assumeRoleResult.setCredentials(credentials);
// Mock the external calls.
when(retryPolicyFactory.getRetryPolicy()).thenReturn(retryPolicy);
when(stsOperations.assumeRole(any(AWSSecurityTokenServiceClient.class), eq(assumeRoleRequest))).thenReturn(assumeRoleResult);
// Call the method under test. Please note that we do not specify an IAM policy.
Credentials result = stsDaoImpl.getTemporarySecurityCredentials(awsParamsDto, SESSION_NAME, AWS_ROLE_ARN, awsRoleDurationSeconds, null);
// Verify the external calls.
verify(retryPolicyFactory).getRetryPolicy();
verify(stsOperations).assumeRole(any(AWSSecurityTokenServiceClient.class), eq(assumeRoleRequest));
verifyNoMoreInteractionsHelper();
// Validate the returned object.
assertEquals(credentials, result);
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AwsParamsDto(org.finra.herd.model.dto.AwsParamsDto)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
RetryPolicy(com.amazonaws.retry.RetryPolicy)
Credentials(com.amazonaws.services.securitytoken.model.Credentials)
Test(org.junit.Test)
Example 4 with AssumeRoleResult
use of com.amazonaws.services.securitytoken.model.AssumeRoleResult in project herd by FINRAOS.
the class StsDaoImpl method getTemporarySecurityCredentials.
/**
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that can be used to access
* the specified AWS resource.
*
* @param sessionName the session name that will be associated with the temporary credentials. The session name must be the same for an initial set of
* credentials and an extended set of credentials if credentials are to be refreshed. The session name also is used to identify the user in AWS logs so it
* should be something unique and useful to identify the caller/use.
* @param awsRoleArn the AWS ARN for the role required to provide access to the specified AWS resource
* @param awsRoleDurationSeconds the duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour).
* @param policy the temporary policy to apply to this request
*
* @return the assumed session credentials
*/
@Override
public Credentials getTemporarySecurityCredentials(AwsParamsDto awsParamsDto, String sessionName, String awsRoleArn, int awsRoleDurationSeconds, Policy policy) {
// Construct a new AWS security token service client using the specified client configuration to access Amazon S3.
// A credentials provider chain will be used that searches for credentials in this order:
// - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
// - Java System Properties - aws.accessKeyId and aws.secretKey
// - Instance Profile Credentials - delivered through the Amazon EC2 metadata service
ClientConfiguration clientConfiguration = new ClientConfiguration().withRetryPolicy(retryPolicyFactory.getRetryPolicy());
// Only set the proxy hostname and/or port if they're configured.
if (StringUtils.isNotBlank(awsParamsDto.getHttpProxyHost())) {
clientConfiguration.setProxyHost(awsParamsDto.getHttpProxyHost());
}
if (awsParamsDto.getHttpProxyPort() != null) {
clientConfiguration.setProxyPort(awsParamsDto.getHttpProxyPort());
}
AWSSecurityTokenServiceClient awsSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(clientConfiguration);
// Create the request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleSessionName(sessionName);
assumeRoleRequest.setRoleArn(awsRoleArn);
assumeRoleRequest.setDurationSeconds(awsRoleDurationSeconds);
if (policy != null) {
assumeRoleRequest.setPolicy(policy.toJson());
}
// Get the temporary security credentials.
AssumeRoleResult assumeRoleResult = stsOperations.assumeRole(awsSecurityTokenServiceClient, assumeRoleRequest);
return assumeRoleResult.getCredentials();
}
Also used :
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
ClientConfiguration(com.amazonaws.ClientConfiguration)
Example 5 with AssumeRoleResult
use of com.amazonaws.services.securitytoken.model.AssumeRoleResult in project photon-model by vmware.
the class AWSUtils method getArnSessionCredentialsAsync.
/**
* Authenticates and returns a DeferredResult set of session credentials for a valid ARN that
* authorizes this system's account ID (validated through
* {@link #AWS_MASTER_ACCOUNT_ACCESS_KEY_PROPERTY} and
* {@link #AWS_MASTER_ACCOUNT_SECRET_KEY_PROPERTY}) and the externalId parameter.
*
* If the system properties are unset, then this call will automatically fail.
*
* @param arn The Amazon Resource Name to validate.
* @param externalId The external ID this ARN has authorized.
* @param region The region to validate within.
* @param executorService The executor service to issue the request.
*/
public static DeferredResult<Credentials> getArnSessionCredentialsAsync(String arn, String externalId, String region, ExecutorService executorService) {
AWSCredentialsProvider serviceAwsCredentials;
try {
serviceAwsCredentials = new AWSStaticCredentialsProvider(new BasicAWSCredentials(AWS_MASTER_ACCOUNT_ACCESS_KEY, AWS_MASTER_ACCOUNT_SECRET_KEY));
} catch (Throwable t) {
return DeferredResult.failed(t);
}
AWSSecurityTokenServiceAsync awsSecurityTokenServiceAsync = AWSSecurityTokenServiceAsyncClientBuilder.standard().withRegion(region).withCredentials(serviceAwsCredentials).withExecutorFactory(() -> executorService).build();
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(arn).withRoleSessionName(UUID.randomUUID().toString()).withDurationSeconds(getArnSessionDurationSeconds()).withExternalId(externalId);
DeferredResult<AssumeRoleResult> r = new DeferredResult<>();
OperationContext operationContext = OperationContext.getOperationContext();
awsSecurityTokenServiceAsync.assumeRoleAsync(assumeRoleRequest, new AsyncHandler<AssumeRoleRequest, AssumeRoleResult>() {
@Override
public void onSuccess(AssumeRoleRequest request, AssumeRoleResult result) {
OperationContext.restoreOperationContext(operationContext);
r.complete(result);
}
@Override
public void onError(Exception ex) {
OperationContext.restoreOperationContext(operationContext);
r.fail(ex);
}
});
return r.thenApply(AssumeRoleResult::getCredentials);
}
Also used :
OperationContext(com.vmware.xenon.common.OperationContext)
AssumeRoleRequest(com.amazonaws.services.securitytoken.model.AssumeRoleRequest)
AWSSecurityTokenServiceAsync(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsync)
AssumeRoleResult(com.amazonaws.services.securitytoken.model.AssumeRoleResult)
BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials)
AWSSecurityTokenServiceException(com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException)
AmazonServiceException(com.amazonaws.AmazonServiceException)
AmazonClientException(com.amazonaws.AmazonClientException)
AmazonEC2Exception(com.amazonaws.services.ec2.model.AmazonEC2Exception)
AWSStaticCredentialsProvider(com.amazonaws.auth.AWSStaticCredentialsProvider)
AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider)
DeferredResult(com.vmware.xenon.common.DeferredResult)
Aggregations
AssumeRoleResult (com.amazonaws.services.securitytoken.model.AssumeRoleResult)15
AssumeRoleRequest (com.amazonaws.services.securitytoken.model.AssumeRoleRequest)12
Credentials (com.amazonaws.services.securitytoken.model.Credentials)8
AWSSecurityTokenServiceClient (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)7
BasicSessionCredentials (com.amazonaws.auth.BasicSessionCredentials)6
AmazonServiceException (com.amazonaws.AmazonServiceException)3
AWSStaticCredentialsProvider (com.amazonaws.auth.AWSStaticCredentialsProvider)2
RetryPolicy (com.amazonaws.retry.RetryPolicy)2
AWSSecurityTokenService (com.amazonaws.services.securitytoken.AWSSecurityTokenService)2
AWSTemporaryCredentials (com.yahoo.athenz.zts.AWSTemporaryCredentials)2
Date (java.util.Date)2
AwsParamsDto (org.finra.herd.model.dto.AwsParamsDto)2
Test (org.junit.Test)2
AmazonClientException (com.amazonaws.AmazonClientException)1
ClientConfiguration (com.amazonaws.ClientConfiguration)1
SdkClientException (com.amazonaws.SdkClientException)1
AWSCredentials (com.amazonaws.auth.AWSCredentials)1
AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)1
AWSSessionCredentials (com.amazonaws.auth.AWSSessionCredentials)1
BasicAWSCredentials (com.amazonaws.auth.BasicAWSCredentials)1
