/** * Validates the configured IAM profile. * * @param configuration the configuration to be validated * @param accumulator the exception condition accumulator * @param localizationContext the localization context */ @VisibleForTesting void checkIamProfileName(Configured configuration, PluginExceptionConditionAccumulator accumulator, LocalizationContext localizationContext) { String iamProfileName = configuration.getConfigurationValue(IAM_PROFILE_NAME, localizationContext); if (iamProfileName != null) { AmazonIdentityManagementClient iamClient = provider.getIdentityManagementClient(); try { iamClient.getInstanceProfile(new GetInstanceProfileRequest() .withInstanceProfileName(iamProfileName)); } catch (NoSuchEntityException e) { addError(accumulator, IAM_PROFILE_NAME, localizationContext, null, INVALID_IAM_PROFILE_NAME_MSG, iamProfileName); } } }
GetCredentialReportResult getCredentialReportCSV(final String accountId) { final AmazonIdentityManagementClient client = getIAMClient(accountId); GenerateCredentialReportResult generationReport; int i = 0; do { Assert.state(i < MAX_RETRIES, "Maximum retries to generate credentials report exceeded"); log.debug("Poll credentials report for account {}", accountId); try { MILLISECONDS.sleep(RETRY_TIMEOUT_MILLIS * i); } catch (final InterruptedException e) { throw new RuntimeException("Could not pull credentials report", e); } generationReport = client.generateCredentialReport(); i++; } while (!COMPLETE.toString().equals(generationReport.getState())); return client.getCredentialReport(); }
@Before public void setUp() throws Exception { this.violationSinkMock = mock(ViolationSink.class); this.clientProviderMock = mock(ClientProvider.class); this.accountIdSupplierMock = mock(AccountIdSupplier.class); this.jobsPropertiesMock = mock(JobsProperties.class); this.mockAmazonIdentityManagementClient = mock(AmazonIdentityManagementClient.class); this.mockAwsApplications = mock(AwsApplications.class); mockListRolesResult = new ListRolesResult(); mockListRolesResult.setRoles(asList( createRole("aws-service-role", AWS_SERVICE_POLICY_DOCUMENT), createRole("cross-account-role", CROSS_ACCOUNT_POLICY_DOCUMENT), createRole("same-account-role", SAME_ACCOUNT_POLICY_DOCUMENT), createRole("deleted-role-reference-role", DELETED_ROLE_POLICY_DOCUMENT), createRole("management-account-role", MANAGEMENT_POLICY_DOCUMENT))); when(clientProviderMock.getClient(any(), any(String.class), any(Region.class))).thenReturn(mockAmazonIdentityManagementClient); }
/** * Sets the "instanceProfile" and "serviceRole" properties according to the * set parameters. */ public void execute() { checkParams(); AmazonIdentityManagementClient iamClient = getOrCreateClient(AmazonIdentityManagementClient.class); getProject() .setProperty( "instanceProfileArn", iamClient .getInstanceProfile( new GetInstanceProfileRequest() .withInstanceProfileName(instanceProfile)) .getInstanceProfile().getArn()); getProject() .setProperty( "serviceRoleArn", iamClient .getRole( new GetRoleRequest() .withRoleName(serviceRole)) .getRole().getArn()); }
public static void main(String... args) throws IOException { AWSCredentialsProvider credentials = CredentialsUtils.getAwsCredentials(); AmazonS3 storage = new AmazonS3Client(credentials); storage.setRegion(Region.getRegion(Regions.EU_WEST_1)); AmazonSQS queue = new AmazonSQSClient(credentials); queue.setRegion(Region.getRegion(Regions.EU_WEST_1)); AmazonEC2 machines = new AmazonEC2Client(credentials); machines.setRegion(Region.getRegion(Regions.EU_WEST_1)); AmazonIdentityManagement identityManagement = new AmazonIdentityManagementClient(credentials); identityManagement.setRegion(Region.getRegion(Regions.EU_WEST_1)); if ("launch".equals(args[0])) { setup(storage, queue, machines, identityManagement); manageAnswers(queue); } else if ("run".equals(args[0])) { run(storage, queue); } else { System.out.println("Huh hoh! Don't know what you intended to do..."); } }
private static String getAWSAccountID() { try { String accessKey = AWS_ACCESS_KEY_ID; String secretKey = AWS_SECRET_KEY; if (Utilities.isEmpty(accessKey) || Utilities.isEmpty(secretKey)) { return null; } AWSCredentials creds = new BasicAWSCredentials(accessKey, secretKey); AmazonIdentityManagementClient iam = new AmazonIdentityManagementClient(creds); return iam.getUser().getUser().getArn().split(":")[4]; } catch (AmazonClientException e) { throw new RuntimeException("Failed to get AWS account id", e); } }
@BeforeMethod public void setUp() { mockCredentials = mock(AWSCredentialsProvider.class); mockClient = mock(AmazonIdentityManagementClient.class); ClientConfiguration mockConfig = mock(ClientConfiguration.class); IAMPolicyManager policyManager = new IAMPolicyManager(mockClient, mockCredentials, mockConfig); // The mockito spy acts like original object but mocks out the getAccount() method. As the getAccount() calls // directly rather than via a client that we can pass in we need to mock this out using a spy. partiallyMockedPolicyManager = spy(policyManager); doReturn(ACCOUNT).when(partiallyMockedPolicyManager).getAccount(); // Set up KMSEncryptor for testing the policy creation methods. This gets a bit complicated but we need to // mock all the AWS dependencies from the KMSManager before using it to create the KMSEncryptor. The getAliasArn // needs to be mocked out with a spy to stop the call to getAccount. mockKMSClient = mock(AWSKMSClient.class); KMSManager kmsManager = new KMSManager(mockKMSClient, mockCredentials, mockConfig, group); KMSManager partiallyMockedKMSManager = spy(kmsManager); doReturn(KMS_ALIAS_ARN).when(partiallyMockedKMSManager).getAliasArn(); kmsEncryptor = new KMSEncryptor(partiallyMockedKMSManager, mockCredentials, mockConfig, group, mock(AwsCrypto.class), EncryptionStrength.AES_256); // Set up store for testing the policy creation methods. Mock out the getArn method with a spy to stop the // call to getAccount(). mockDynamoDBClient = mock(AmazonDynamoDBClient.class); DynamoDB store = new DynamoDB(mockDynamoDBClient, mockCredentials, mockConfig, group, new ReentrantReadWriteLock()); partiallyMockedStore = spy(store); doReturn(DYNAMODB_ARN).when(partiallyMockedStore).getArn(); }
/** * Method gets the aws accountId from the specified credentials. * * @param privateKeyId * @param privateKey * @return account ID */ private String getAccountId(String privateKeyId, String privateKey) { AWSCredentials awsCredentials = new BasicAWSCredentials(privateKeyId, privateKey); AWSStaticCredentialsProvider awsStaticCredentialsProvider = new AWSStaticCredentialsProvider( awsCredentials); AmazonIdentityManagementClientBuilder amazonIdentityManagementClientBuilder = AmazonIdentityManagementClientBuilder .standard() .withCredentials(awsStaticCredentialsProvider) .withRegion(Regions.DEFAULT_REGION); AmazonIdentityManagementClient iamClient = (AmazonIdentityManagementClient) amazonIdentityManagementClientBuilder .build(); String userId = null; try { if ((iamClient.getUser() != null) && (iamClient.getUser().getUser() != null) && (iamClient.getUser().getUser().getArn() != null)) { String arn = iamClient.getUser().getUser().getArn(); /* * arn:aws:service:region:account:resource -> so limiting the split to 6 words and * extracting the accountId which is 5th one in list. If the user is not authorized * to perform iam:GetUser on that resource,still error mesage will have accountId */ userId = arn.split(":", 6)[4]; } } catch (AmazonServiceException ex) { if (ex.getErrorCode().compareTo("AccessDenied") == 0) { String msg = ex.getMessage(); userId = msg.split(":", 7)[5]; } else { logSevere("Exception getting the accountId %s", ex); } } return userId; }
/** * Binds all the Amazon services used. */ @Override protected void configure() { final Region region = Region.getRegion(Regions.fromName(regionName)); bind(AmazonEC2.class).toInstance(createAmazonClientInstance(AmazonEC2Client.class, region)); bind(AmazonCloudFormation.class).toInstance(createAmazonClientInstance(AmazonCloudFormationClient.class, region)); bind(AmazonIdentityManagement.class).toInstance(createAmazonClientInstance(AmazonIdentityManagementClient.class, region)); bind(AWSKMS.class).toInstance(createAmazonClientInstance(AWSKMSClient.class, region)); bind(AmazonS3.class).toInstance(createAmazonClientInstance(AmazonS3Client.class, region)); bind(AmazonAutoScaling.class).toInstance(createAmazonClientInstance(AmazonAutoScalingClient.class, region)); bind(AWSSecurityTokenService.class).toInstance(createAmazonClientInstance(AWSSecurityTokenServiceClient.class, region)); bind(AWSLambda.class).toInstance(createAmazonClientInstance(AWSLambdaClient.class, region)); bind(AmazonSNS.class).toInstance(createAmazonClientInstance(AmazonSNSClient.class, region)); }
@Override public RolePolicies getRolePolicies(String roleName, Region region, String accountId) { final AmazonIdentityManagementClient iamClient = clientProvider .getClient(AmazonIdentityManagementClient.class, accountId, region); final Set<String> attachedPolicyNames = fetchAttachedPolicyNames(roleName, iamClient); final Set<String> inlinePolicyNames = fetchInlinePolicyNames(roleName, iamClient); // assuming that there is an inline policy with the same name as the role itself final String mainPolicy = inlinePolicyNames.contains(roleName) ? fetchMainPolicy(roleName, iamClient) : EMPTY_JSON; return new RolePolicies(attachedPolicyNames, inlinePolicyNames, mainPolicy); }
private String fetchMainPolicy(String roleName, AmazonIdentityManagementClient iamClient) { return Optional.of(new GetRolePolicyRequest().withRoleName(roleName).withPolicyName(roleName)) .map(iamClient::getRolePolicy) .map(GetRolePolicyResult::getPolicyDocument) .map(PolicyProviderImpl::urlDecode) .orElse(EMPTY_JSON); }
private Set<String> fetchInlinePolicyNames(String roleName, AmazonIdentityManagementClient iamClient) { return Optional.of(new ListRolePoliciesRequest().withRoleName(roleName)) .map(iamClient::listRolePolicies) .map(ListRolePoliciesResult::getPolicyNames) .map(nameList -> nameList.stream().collect(toSet())) .orElseGet(Collections::emptySet); }
private Set<String> fetchAttachedPolicyNames(String roleName, AmazonIdentityManagementClient iamClient) { return Optional.of(new ListAttachedRolePoliciesRequest().withRoleName(roleName)) .map(iamClient::listAttachedRolePolicies) .map(ListAttachedRolePoliciesResult::getAttachedPolicies) .map(attachedPolicies -> attachedPolicies.stream().map(AttachedPolicy::getPolicyName).collect(toSet())) .orElseGet(Collections::emptySet); }
/** * Read AWS account ID */ public void retrieveAccountIdFromAwsAPI() { String accountId = ""; try { AmazonIdentityManagementClient iamClient = new AmazonIdentityManagementClient(getCredentials()); LOG.info("Current AWS user: " + iamClient.getUser().getUser().getUserId()); accountId = iamClient.getUser().getUser().getArn(); } catch (AmazonServiceException e) { if (e.getErrorCode().compareTo("AccessDenied") == 0) { String arn = null; String msg = e.getMessage(); // User: // arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob // is not authorized to perform: iam:GetUser on // resource: // arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob // arn:aws:sts::123456789012:assumed-role/Shibboleth-PowerUser/username int arnIdx = msg.indexOf("arn:aws"); if (arnIdx != -1) { int arnSpace = msg.indexOf(" ", arnIdx); arn = msg.substring(arnIdx, arnSpace); // Remove "arn:aws:sts::" arn = arn.substring(13, 13 + 12); } accountId = arn; } if ((accountId == null) || (accountId.length() == 0)) { LOG.warn("Cannot lookup account id: " + e.getMessage()); } } catch (Exception ex) { LOG.error("Cannot lookup account id: " + ex.getMessage()); } setAccountId(accountId); }
/** * Via the default provider chain (i.e., global keys for this Jenkins instance), return the account ID for the * currently authenticated user. * @param proxyHost hostname of the proxy to use (if any) * @param proxyPort port of the proxy to use (if any) * @return 12-digit account id */ public static String getAccountId(String proxyHost, int proxyPort) { String arn = ""; try { ClientConfiguration clientCfg = new ClientConfiguration(); if (proxyHost != null && proxyPort > 0 ) { clientCfg.setProxyHost(proxyHost); clientCfg.setProxyPort(proxyPort); } AmazonIdentityManagementClient iam = new AmazonIdentityManagementClient(clientCfg); GetUserResult user = iam.getUser(); arn = user.getUser().getArn(); } catch (AmazonServiceException e) { if (e.getErrorCode().compareTo("AccessDenied") == 0) { String msg = e.getMessage(); int arnIdx = msg.indexOf("arn:aws"); if (arnIdx != -1) { int arnSpace = msg.indexOf(" ", arnIdx); arn = msg.substring(arnIdx, arnSpace); } } } String accountId = arn.split(":")[ARN_ACCOUNT_ID_INDEX]; return accountId; }
public void execute() { AmazonIdentityManagementClient iamClient = getOrCreateClient(AmazonIdentityManagementClient.class); iamClient.createInstanceProfile(new CreateInstanceProfileRequest() .withInstanceProfileName(instanceProfile)); iamClient .addRoleToInstanceProfile(new AddRoleToInstanceProfileRequest() .withRoleName(INSTANCEPROFILE_ROLE) .withInstanceProfileName(instanceProfile)); }
public void execute() { AmazonIdentityManagementClient iamClient = getOrCreateClient(AmazonIdentityManagementClient.class); iamClient .removeRoleFromInstanceProfile(new RemoveRoleFromInstanceProfileRequest() .withRoleName(INSTANCEPROFILE_ROLE) .withInstanceProfileName(instanceProfile)); iamClient.deleteInstanceProfile(new DeleteInstanceProfileRequest() .withInstanceProfileName(instanceProfile)); AmazonS3Client client = getOrCreateClient(AmazonS3Client.class); AWSTestUtils.emptyAndDeleteBucket(client, bucketName); }
AWSDatabase(final Map<String, AmazonEC2Client> ec2Clients, final Map<String, AmazonRDSClient> rdsClients, final Map<String, AmazonDynamoDBClient> dynamoClients, final Map<String, AmazonSQSClient> sqsClients, final Map<String, AmazonElastiCacheClient> elasticacheClients, final AmazonIdentityManagementClient iamClient) { this(ec2Clients, rdsClients, dynamoClients, sqsClients, elasticacheClients, iamClient, null); }
private AmazonIdentityManagement findClient(String accessKeyId, String secretAccessKey) { // TODO: need to config client config parameter. ignore it for now. AWSCredentials credential = new BasicAWSCredentials(accessKeyId, secretAccessKey); AmazonIdentityManagement iam = new AmazonIdentityManagementClient(credential); // iam.setEndpoint(Region.toIamEndpoint()); return iam; }
/** * @inheritDoc */ @Override public void createAgentInstanceProfile( String profileName, String controlRoleArn, Identity identity ) { AmazonIdentityManagement iam = ActivityUtils.createClient( AmazonIdentityManagementClient.class, identity ); // Create role if necessary String roleName = profileName + "-role"; Map<String, String> policyVariables = new HashMap<String, String>(); policyVariables.put( "CONTROLLER_ROLE_ARN", controlRoleArn ); Role role = ActivityUtils.createRole( roleName, iam, "datamung/agent-policy.json", policyVariables, "datamung/agent-trust.json", null ); // Create instance profile and associate role if necessary boolean roleAssociationRequired = true; try { iam.createInstanceProfile( new CreateInstanceProfileRequest().withInstanceProfileName( profileName ).withPath( role.getPath() ) ); } catch ( EntityAlreadyExistsException e ) { LOG.info( "Instance profile " + profileName + " already exists!" ); roleAssociationRequired = iam.getInstanceProfile( new GetInstanceProfileRequest().withInstanceProfileName( profileName ) ).getInstanceProfile().getRoles().isEmpty(); } if ( roleAssociationRequired ) { LOG.info( "Adding role " + roleName + " to instance profile " + profileName ); iam.addRoleToInstanceProfile( new AddRoleToInstanceProfileRequest().withInstanceProfileName( profileName ).withRoleName( roleName ) ); } }
/** * @inheritDoc */ @Override public void deleteInstanceProfile( String profileName, Identity identity ) { AmazonIdentityManagement iam = ActivityUtils.createClient( AmazonIdentityManagementClient.class, identity ); String roleName = profileName + "-role"; try { GetInstanceProfileResult profileResult = iam.getInstanceProfile( new GetInstanceProfileRequest().withInstanceProfileName( profileName ) ); if ( !profileResult.getInstanceProfile().getRoles().isEmpty() ) { iam.removeRoleFromInstanceProfile( new RemoveRoleFromInstanceProfileRequest().withInstanceProfileName( profileName ).withRoleName( roleName ) ); } iam.deleteInstanceProfile( new DeleteInstanceProfileRequest().withInstanceProfileName( profileName ) ); } catch ( NoSuchEntityException e ) { LOG.info( "Instance profile is already gone: " + profileName ); } ActivityUtils.deleteRole( roleName, iam ); }
/** * @inheritDoc */ @Override public String createAgentControllerRole( String roleName, String workflowTaskList, Identity identity ) { Map<String, String> policyVariables = new HashMap<String, String>(); policyVariables.put( "CONTROLLER_ACCOUNT_ID", accountId ); policyVariables.put( "SWF_DOMAIN", contextProvider.getActivityExecutionContext().getDomain() ); policyVariables.put( "TASK_LIST", workflowTaskList ); AmazonIdentityManagement clientIam = ActivityUtils.createClient( AmazonIdentityManagementClient.class, identity ); Map<String, String> trustVariables = new HashMap<String, String>(); trustVariables.put( "CLIENT_EXTERNAL_ID", AgentConfig.ROLE_EXTERNAL_ID ); trustVariables.put( "CLIENT_ACCOUNT_ID", ActivityUtils.getAccountId( clientIam ) ); Role role = ActivityUtils.createRole( roleName, serverIam, "datamung/agent-controller-policy.json", policyVariables, "datamung/agent-controller-trust.json", trustVariables ); return role.getArn(); }
@BeforeMethod public void setUp() { mockClient = mock(AmazonIdentityManagementClient.class); PrincipalAutoSuggestion principalAutoSuggestion = new PrincipalAutoSuggestion(mockClient); partiallyMockedPrincipalAutoSuggestion= spy(principalAutoSuggestion); }
/** * Default constructor. */ public IamUtilsImpl() { this.iamClient = new AmazonIdentityManagementClient(); }
public AmazonIdentityManagementClient getIdentityManagementClient() { return identityManagementClient; }
private AmazonIdentityManagementClient getIAMClient(final String accountId) { return clientProvider.getClient(AmazonIdentityManagementClient.class, accountId, Region.getRegion(EU_WEST_1)); }
public AmazonIdentityManagementClient getIdentityClient() { return identityClient; }
public void setIdentityClient(AmazonIdentityManagementClient identityClient) { this.identityClient = identityClient; }
@Override public AmazonIdentityManagement getClient() { AWSCredentials credentials = new Aws().getAwsCredentials(); return new AmazonIdentityManagementClient( credentials ); }
@Bean public AmazonIdentityManagement amazonIdentityManagement() { return new AmazonIdentityManagementClient(awsCredentials(), awsClientConfiguration.toClientConfiguration()); }
@BeforeClass public static void setUp() { s3Client = new AmazonS3Client(); client = new AWSOpsWorksClient(); iamClient = new AmazonIdentityManagementClient(); }
public AmazonIdentityManagement createAmazonIdentityManagement(AwsCredentialView awsCredential) { return isRoleAssumeRequired(awsCredential) ? new AmazonIdentityManagementClient(credentialClient.retrieveCachedSessionCredentials(awsCredential)) : new AmazonIdentityManagementClient(createAwsCredentials(awsCredential)); }
public AWSDatabaseHolder(Config config) { maxAgeInMs = config.getDuration("maxAge", TimeUnit.MILLISECONDS); final DefaultAWSCredentialsProviderChain awsCredentialsProviderChain = new DefaultAWSCredentialsProviderChain(); final ClientConfiguration clientConfig = new ClientConfiguration(); clientConfig.setRetryPolicy(new RetryPolicy(null, null, config.getInt("maxErrorRetry"), true)); final AmazonEC2Client bootstrapEC2Client = new AmazonEC2Client(awsCredentialsProviderChain); ec2Clients = Maps.newHashMap(); rdsClients = Maps.newHashMap(); sqsClients = Maps.newHashMap(); dynamoDBClients = Maps.newHashMap(); elasticacheClients = Maps.newHashMap(); final List<Region> ec2Regions = bootstrapEC2Client.describeRegions().getRegions(); for (Region region : ec2Regions) { final String regionName = region.getRegionName(); final String endpoint = region.getEndpoint(); log.debug("Adding ec2 region {}", region); final AmazonEC2Client ec2Client = new AmazonEC2Client(awsCredentialsProviderChain, clientConfig); ec2Client.setEndpoint(endpoint); ec2Clients.put(regionName, ec2Client); final AmazonRDSClient rdsClient = new AmazonRDSClient(awsCredentialsProviderChain, clientConfig); rdsClient.setEndpoint(endpoint.replaceFirst("ec2\\.", "rds.")); rdsClients.put(regionName, rdsClient); final AmazonDynamoDBClient dynamoDBClient = new AmazonDynamoDBClient(awsCredentialsProviderChain, clientConfig); dynamoDBClient.setEndpoint(endpoint.replaceFirst("ec2\\.", "dynamodb.")); dynamoDBClients.put(regionName, dynamoDBClient); final AmazonSQSClient sqsClient = new AmazonSQSClient(awsCredentialsProviderChain, clientConfig); sqsClient.setEndpoint(endpoint.replaceFirst("ec2\\.", "sqs.")); sqsClients.put(regionName, sqsClient); final AmazonElastiCacheClient elastiCacheClient = new AmazonElastiCacheClient (awsCredentialsProviderChain, clientConfig); elastiCacheClient.setEndpoint(endpoint.replaceFirst("ec2\\.", "elasticache.")); elasticacheClients.put(regionName, elastiCacheClient); } this.iamClient = new AmazonIdentityManagementClient(awsCredentialsProviderChain, clientConfig); if (config.hasPath("accountNumber")) { this.awsAccountNumber = config.getString("accountNumber"); } else { this.awsAccountNumber = null; } rebuild(); }
@Before public void setUp() throws Exception { clientMock = mock(AmazonIdentityManagementClient.class); final ClientProvider clientProviderMock = mock(ClientProvider.class); when(clientProviderMock.getClient(any(), any(), any())).thenReturn(clientMock); policyProvider = new PolicyProviderImpl(clientProviderMock); }
/** * Parameterized constructor. Pass the AWS Region as parameter. * @param region */ public IamUtilsImpl(Regions region) { this.iamClient = new AmazonIdentityManagementClient().withRegion(region); }
/** * Construct a service implementation that talks to the specified AWS * region. The low-level client will be created via the default no-arg * constructor, which means it will have all the default client * configurations and it will use the default provider chain to retrieve AWS * credentials. If you need more flexible control over the low-level client, * use {@link #IdentityManagementImpl(AmazonIdentityManagement)} instead. * * @param region The AWS region where the service API calls will be sent to. */ public IdentityManagementImpl(Regions region) { this(new AmazonIdentityManagementClient()); this.client().setRegion(Region.getRegion(region)); }
