Java Code Examples for com.amazonaws.services.securitytoken.model.AssumeRoleResult#getCredentials()
The following examples show how to use
com.amazonaws.services.securitytoken.model.AssumeRoleResult#getCredentials() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: AssumedRole.java From pipeline-aws-plugin with Apache License 2.0 | 6 votes |
|
private AssumedRole assumeRole(final AWSSecurityTokenService sts) {
final AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(this.roleArn)
.withRoleSessionName(this.sessionName)
.withDurationSeconds(this.durationInSeconds);
Optional.ofNullable(this.externalId).ifPresent(assumeRoleRequest::setExternalId);
Optional.ofNullable(this.policy).ifPresent(assumeRoleRequest::withPolicy);
AssumeRoleResult assumeRoleResult = sts.assumeRole(assumeRoleRequest);
return new AssumedRole(assumeRoleResult.getCredentials(), assumeRoleResult.getAssumedRoleUser());
}
Example 2
| Source File: CodeBuildBaseCredentials.java From aws-codebuild-jenkins-plugin with Apache License 2.0 | 6 votes |
|
@Override
public void refresh() {
if (!iamRoleArn.isEmpty()) {
if (!haveCredentialsExpired()) {
return;
}
AWSCredentialsProvider credentialsProvider = getBasicCredentialsOrDefaultChain(accessKey, secretKey);
AWSCredentials credentials = credentialsProvider.getCredentials();
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(iamRoleArn)
.withExternalId(externalId)
.withDurationSeconds(3600)
.withRoleSessionName(ROLE_SESSION_NAME);
AssumeRoleResult assumeResult = new AWSSecurityTokenServiceClient(credentials).assumeRole(assumeRequest);
roleCredentials = assumeResult.getCredentials();
}
}
Example 3
| Source File: StsDaoImpl.java From herd with Apache License 2.0 | 6 votes |
|
/**
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that can be used to access
* the specified AWS resource.
*
* @param sessionName the session name that will be associated with the temporary credentials. The session name must be the same for an initial set of
* credentials and an extended set of credentials if credentials are to be refreshed. The session name also is used to identify the user in AWS logs so it
* should be something unique and useful to identify the caller/use.
* @param awsRoleArn the AWS ARN for the role required to provide access to the specified AWS resource
* @param awsRoleDurationSeconds the duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour).
* @param policy the temporary policy to apply to this request
*
* @return the assumed session credentials
*/
@Override
public Credentials getTemporarySecurityCredentials(AwsParamsDto awsParamsDto, String sessionName, String awsRoleArn, int awsRoleDurationSeconds,
Policy policy)
{
// Construct a new AWS security token service client using the specified client configuration to access Amazon S3.
// A credentials provider chain will be used that searches for credentials in this order:
// - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
// - Java System Properties - aws.accessKeyId and aws.secretKey
// - Instance Profile Credentials - delivered through the Amazon EC2 metadata service
ClientConfiguration clientConfiguration = new ClientConfiguration().withRetryPolicy(retryPolicyFactory.getRetryPolicy());
// Only set the proxy hostname and/or port if they're configured.
if (StringUtils.isNotBlank(awsParamsDto.getHttpProxyHost()))
{
clientConfiguration.setProxyHost(awsParamsDto.getHttpProxyHost());
}
if (awsParamsDto.getHttpProxyPort() != null)
{
clientConfiguration.setProxyPort(awsParamsDto.getHttpProxyPort());
}
AWSSecurityTokenServiceClient awsSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(clientConfiguration);
// Create the request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleSessionName(sessionName);
assumeRoleRequest.setRoleArn(awsRoleArn);
assumeRoleRequest.setDurationSeconds(awsRoleDurationSeconds);
if (policy != null)
{
assumeRoleRequest.setPolicy(policy.toJson());
}
// Get the temporary security credentials.
AssumeRoleResult assumeRoleResult = stsOperations.assumeRole(awsSecurityTokenServiceClient, assumeRoleRequest);
return assumeRoleResult.getCredentials();
}
Example 4
| Source File: AWSClients.java From aws-codedeploy-plugin with Apache License 2.0 | 6 votes |
|
private static AWSCredentials getCredentials(String iamRole, String externalId) {
if (isEmpty(iamRole)) return null;
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient();
int credsDuration = (int) (AWSCodeDeployPublisher.DEFAULT_TIMEOUT_SECONDS
* AWSCodeDeployPublisher.DEFAULT_POLLING_FREQUENCY_SECONDS);
if (credsDuration > 3600) {
credsDuration = 3600;
}
AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
.withRoleArn(iamRole)
.withExternalId(externalId)
.withDurationSeconds(credsDuration)
.withRoleSessionName(AWSCodeDeployPublisher.ROLE_SESSION_NAME)
);
Credentials stsCredentials = assumeRoleResult.getCredentials();
BasicSessionCredentials credentials = new BasicSessionCredentials(
stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken()
);
return credentials;
}
Example 5
| Source File: AwsSessionCredentialClient.java From cloudbreak with Apache License 2.0 | 6 votes |
|
public AwsSessionCredentials retrieveSessionCredentials(AwsCredentialView awsCredential) {
String externalId = awsCredential.getExternalId();
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
.withDurationSeconds(DEFAULT_SESSION_CREDENTIALS_DURATION)
.withExternalId(StringUtils.isEmpty(externalId) ? deprecatedExternalId : externalId)
.withRoleArn(awsCredential.getRoleArn())
.withRoleSessionName(roleSessionName);
LOGGER.debug("Trying to assume role with role arn {}", awsCredential.getRoleArn());
try {
AssumeRoleResult result = awsSecurityTokenServiceClient(awsCredential).assumeRole(assumeRoleRequest);
Credentials credentialsResponse = result.getCredentials();
String formattedExpirationDate = "";
Date expirationTime = credentialsResponse.getExpiration();
if (expirationTime != null) {
formattedExpirationDate = new StdDateFormat().format(expirationTime);
}
LOGGER.debug("Assume role result credential: role arn: {}, expiration date: {}",
awsCredential.getRoleArn(), formattedExpirationDate);
return new AwsSessionCredentials(
credentialsResponse.getAccessKeyId(),
credentialsResponse.getSecretAccessKey(),
credentialsResponse.getSessionToken(),
credentialsResponse.getExpiration());
} catch (SdkClientException e) {
LOGGER.error("Unable to assume role. Check exception for details.", e);
throw e;
}
}
Example 6
| Source File: ProfileCredentialProvider.java From strongbox with Apache License 2.0 | 5 votes |
|
/**
* Resolve AWS credentials based on MFA/Assume role
*
* We will assume that if mfa_serial is defined, then role_arn and source_profile also has to be specified.
*
* Please note that Strongbox differ from the AWS CLI in the following:
* AWS CLI: 'Note that configuration variables for using IAM roles can only be in the AWS CLI config file.'
* Strongbox: '--assume-role' can be specified explicitly
*
* https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
*/
private AWSCredentials assumeRole(ClientConfiguration clientConfiguration,
ConfigProviderChain configProvider,
ProfileIdentifier profile,
RoleARN roleToAssume) {
Optional<ProfileIdentifier> sourceProfile = configProvider.getSourceProfile(profile);
if (!sourceProfile.isPresent()) {
throw new IllegalStateException(String.format("'%s' must be specified when using '%s' for profile '%s'",
AWSConfigPropertyKey.SOURCE_PROFILE,
AWSConfigPropertyKey.ROLE_ARN,
profile.name));
}
SessionCache sessionCache = new SessionCache(profile, roleToAssume);
Optional<BasicSessionCredentials> cachedCredentials = sessionCache.load();
if (cachedCredentials.isPresent()) {
return cachedCredentials.get();
} else {
AWSCredentialsProvider staticCredentialsProvider = new AWSStaticCredentialsProvider(getStaticCredentials(configProvider, sourceProfile.get()));
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(staticCredentialsProvider)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
String sessionId = String.format("strongbox-cli-session-%s", ZonedDateTime.now().toEpochSecond());
AssumeRoleRequest request = new AssumeRoleRequest();
request.withRoleArn(roleToAssume.toArn())
.withRoleSessionName(sessionId);
Optional<String> mfaSerial = configProvider.getMFASerial(profile);
if (mfaSerial.isPresent()) {
MFAToken mfaToken = mfaTokenSupplier.get();
request.withSerialNumber(mfaSerial.get())
.withTokenCode(mfaToken.value);
}
AssumeRoleResult result = client.assumeRole(request);
Credentials credentials = result.getCredentials();
BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
sessionCache.save(result.getAssumedRoleUser(),
basicSessionCredentials,
ZonedDateTime.ofInstant(credentials.getExpiration().toInstant(), ZoneId.of("UTC")));
return basicSessionCredentials;
}
}
Example 7
| Source File: AWSSessionCredentialsFactory.java From digdag with Apache License 2.0 | 5 votes |
|
public BasicSessionCredentials get()
{
AWSCredentials baseCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
List<Statement> statements = new ArrayList<>();
acceptableUris.forEach(acceptableUri -> {
Mode mode = acceptableUri.mode;
String uri = acceptableUri.uri;
if (uri.startsWith(URI_S3_PREFIX)) {
String s3BucketAndKeyStr = uri.substring(URI_S3_PREFIX.length());
String[] s3BucketAndKey = s3BucketAndKeyStr.split("/", 2);
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.ListObjects)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKey[0])));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.GetObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
case WRITE:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
}
}
else if (uri.startsWith(URI_DYNAMODB_PREFIX)) {
String table = uri.substring(URI_DYNAMODB_PREFIX.length());
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.DescribeTable)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.Scan)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
break;
case WRITE:
break;
}
}
else if (uri.startsWith(URI_EMR_PREFIX)) {
String cluster = uri.substring(URI_EMR_PREFIX.length());
// TODO: Grant minimum actions
statements.add(new Statement(Statement.Effect.Allow)
.withActions(ElasticMapReduceActions.AllElasticMapReduceActions)
.withResources(new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", cluster))));
}
else {
throw new IllegalArgumentException("Unexpected `uri`. uri=" + uri);
}
}
);
Policy policy = new Policy();
policy.setStatements(statements);
Credentials credentials;
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(baseCredentials);
if (roleArn != null && !roleArn.isEmpty()) {
// use STS to assume role
AssumeRoleResult assumeResult = stsClient.assumeRole(new AssumeRoleRequest()
.withRoleArn(roleArn)
.withDurationSeconds(durationSeconds)
.withRoleSessionName(sessionName)
.withPolicy(policy.toJson()));
credentials = assumeResult.getCredentials();
}
else {
// Maybe we'd better add an option command later like `without_federated_token`
GetFederationTokenRequest federationTokenRequest = new GetFederationTokenRequest()
.withDurationSeconds(durationSeconds)
.withName(sessionName)
.withPolicy(policy.toJson());
GetFederationTokenResult federationTokenResult =
stsClient.getFederationToken(federationTokenRequest);
credentials = federationTokenResult.getCredentials();
}
return new BasicSessionCredentials(
credentials.getAccessKeyId(),
credentials.getSecretAccessKey(),
credentials.getSessionToken());
}
