com.amazonaws.services.securitytoken.model.GetFederationTokenResult Java Examples
The following examples show how to use
com.amazonaws.services.securitytoken.model.GetFederationTokenResult.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: WithAWSStep.java From pipeline-aws-plugin with Apache License 2.0 | 6 votes |
|
private void withFederatedUserId(@Nonnull EnvVars localEnv) {
if (!StringUtils.isNullOrEmpty(this.step.getFederatedUserId())) {
AWSSecurityTokenService sts = AWSClientFactory.create(AWSSecurityTokenServiceClientBuilder.standard(), this.envVars);
GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest();
getFederationTokenRequest.setDurationSeconds(this.step.getDuration());
getFederationTokenRequest.setName(this.step.getFederatedUserId());
getFederationTokenRequest.setPolicy(ALLOW_ALL_POLICY);
GetFederationTokenResult federationTokenResult = sts.getFederationToken(getFederationTokenRequest);
Credentials credentials = federationTokenResult.getCredentials();
localEnv.override(AWSClientFactory.AWS_ACCESS_KEY_ID, credentials.getAccessKeyId());
localEnv.override(AWSClientFactory.AWS_SECRET_ACCESS_KEY, credentials.getSecretAccessKey());
localEnv.override(AWSClientFactory.AWS_SESSION_TOKEN, credentials.getSessionToken());
this.envVars.overrideAll(localEnv);
}
}
Example #2
| Source File: AWSSessionCredentialsFactory.java From digdag with Apache License 2.0 | 5 votes |
|
public BasicSessionCredentials get()
{
AWSCredentials baseCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
List<Statement> statements = new ArrayList<>();
acceptableUris.forEach(acceptableUri -> {
Mode mode = acceptableUri.mode;
String uri = acceptableUri.uri;
if (uri.startsWith(URI_S3_PREFIX)) {
String s3BucketAndKeyStr = uri.substring(URI_S3_PREFIX.length());
String[] s3BucketAndKey = s3BucketAndKeyStr.split("/", 2);
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.ListObjects)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKey[0])));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.GetObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
case WRITE:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
}
}
else if (uri.startsWith(URI_DYNAMODB_PREFIX)) {
String table = uri.substring(URI_DYNAMODB_PREFIX.length());
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.DescribeTable)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.Scan)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
break;
case WRITE:
break;
}
}
else if (uri.startsWith(URI_EMR_PREFIX)) {
String cluster = uri.substring(URI_EMR_PREFIX.length());
// TODO: Grant minimum actions
statements.add(new Statement(Statement.Effect.Allow)
.withActions(ElasticMapReduceActions.AllElasticMapReduceActions)
.withResources(new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", cluster))));
}
else {
throw new IllegalArgumentException("Unexpected `uri`. uri=" + uri);
}
}
);
Policy policy = new Policy();
policy.setStatements(statements);
Credentials credentials;
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(baseCredentials);
if (roleArn != null && !roleArn.isEmpty()) {
// use STS to assume role
AssumeRoleResult assumeResult = stsClient.assumeRole(new AssumeRoleRequest()
.withRoleArn(roleArn)
.withDurationSeconds(durationSeconds)
.withRoleSessionName(sessionName)
.withPolicy(policy.toJson()));
credentials = assumeResult.getCredentials();
}
else {
// Maybe we'd better add an option command later like `without_federated_token`
GetFederationTokenRequest federationTokenRequest = new GetFederationTokenRequest()
.withDurationSeconds(durationSeconds)
.withName(sessionName)
.withPolicy(policy.toJson());
GetFederationTokenResult federationTokenResult =
stsClient.getFederationToken(federationTokenRequest);
credentials = federationTokenResult.getCredentials();
}
return new BasicSessionCredentials(
credentials.getAccessKeyId(),
credentials.getSecretAccessKey(),
credentials.getSessionToken());
}
Example #3
| Source File: ConstructUrlFederatedUsers.java From aws-doc-sdk-examples with Apache License 2.0 | 4 votes |
|
public static void main(String[] args) {
/* Calls to AWS STS API operations must be signed using the access key ID
and secret access key of an IAM user or using existing temporary
credentials. The credentials should not be embedded in code. For
this example, the code looks for the credentials in a
standard configuration file.
*/
AWSCredentials credentials =
new PropertiesCredentials(
AwsConsoleApp.class.getResourceAsStream("AwsCredentials.properties"));
AWSSecurityTokenServiceClient stsClient =
new AWSSecurityTokenServiceClient(credentials);
GetFederationTokenRequest getFederationTokenRequest =
new GetFederationTokenRequest();
getFederationTokenRequest.setDurationSeconds(1800);
getFederationTokenRequest.setName("UserName");
// A sample policy for accessing Amazon Simple Notification Service (Amazon SNS) in the console.
String policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sns:*\"," +
"\"Effect\":\"Allow\",\"Resource\":\"*\"}]}";
getFederationTokenRequest.setPolicy(policy);
GetFederationTokenResult federationTokenResult =
stsClient.getFederationToken(getFederationTokenRequest);
Credentials federatedCredentials = federationTokenResult.getCredentials();
// The issuer parameter specifies your internal sign-in
// page, for example https://mysignin.internal.mycompany.com/.
// The console parameter specifies the URL to the destination console of the
// AWS Management Console. This example goes to Amazon SNS.
// The signin parameter is the URL to send the request to.
String issuerURL = "https://mysignin.internal.mycompany.com/";
String consoleURL = "https://console.aws.amazon.com/sns";
String signInURL = "https://signin.aws.amazon.com/federation";
// Create the sign-in token using temporary credentials,
// including the access key ID, secret access key, and security token.
String sessionJson = String.format(
"{\"%1$s\":\"%2$s\",\"%3$s\":\"%4$s\",\"%5$s\":\"%6$s\"}",
"sessionId", federatedCredentials.getAccessKeyId(),
"sessionKey", federatedCredentials.getSecretAccessKey(),
"sessionToken", federatedCredentials.getSessionToken());
// Construct the sign-in request with the request sign-in token action, a
// 12-hour console session duration, and the JSON document with temporary
// credentials as parameters.
String getSigninTokenURL = signInURL +
"?Action=getSigninToken" +
"&DurationSeconds=43200" +
"&SessionType=json&Session=" +
URLEncoder.encode(sessionJson,"UTF-8");
URL url = new URL(getSigninTokenURL);
// Send the request to the AWS federation endpoint to get the sign-in token
URLConnection conn = url.openConnection ();
BufferedReader bufferReader = new BufferedReader(new
InputStreamReader(conn.getInputStream()));
String returnContent = bufferReader.readLine();
String signinToken = new JSONObject(returnContent).getString("SigninToken");
String signinTokenParameter = "&SigninToken=" + URLEncoder.encode(signinToken,"UTF-8");
// The issuer parameter is optional, but recommended. Use it to direct users
// to your sign-in page when their session expires.
String issuerParameter = "&Issuer=" + URLEncoder.encode(issuerURL, "UTF-8");
// Finally, present the completed URL for the AWS console session to the user
String destinationParameter = "&Destination=" + URLEncoder.encode(consoleURL,"UTF-8");
String loginURL = signInURL + "?Action=login" +
signinTokenParameter + issuerParameter + destinationParameter;
}
