Example 1 with GetCallerIdentityRequest
use of com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest in project athenz by yahoo.
the class InstanceAWSProvider method verifyInstanceIdentity.
boolean verifyInstanceIdentity(AWSAttestationData info, final String awsAccount) {
GetCallerIdentityRequest req = new GetCallerIdentityRequest();
try {
AWSSecurityTokenService client = getInstanceClient(info);
if (client == null) {
LOGGER.error("verifyInstanceIdentity - unable to get AWS STS client object");
return false;
}
GetCallerIdentityResult res = client.getCallerIdentity(req);
if (res == null) {
LOGGER.error("verifyInstanceIdentity - unable to get caller identity");
return false;
}
String arn = "arn:aws:sts::" + awsAccount + ":assumed-role/" + info.getRole() + "/";
if (!res.getArn().startsWith(arn)) {
LOGGER.error("verifyInstanceIdentity - ARN mismatch - request: {} caller-idenity: {}", arn, res.getArn());
return false;
}
return true;
} catch (Exception ex) {
LOGGER.error("CloudStore: verifyInstanceIdentity - unable get caller identity: {}", ex.getMessage());
return false;
}
}
Also used :
GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)
AWSSecurityTokenService(com.amazonaws.services.securitytoken.AWSSecurityTokenService)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
ResourceException(com.yahoo.athenz.instance.provider.ResourceException)
Aggregations
AWSSecurityTokenService (com.amazonaws.services.securitytoken.AWSSecurityTokenService)1
GetCallerIdentityRequest (com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)1
GetCallerIdentityResult (com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)1
CryptoException (com.yahoo.athenz.auth.util.CryptoException)1
ResourceException (com.yahoo.athenz.instance.provider.ResourceException)1
