public static AmazonS3 getS3Client(final String region, final String roleArn) { final Regions awsRegion = StringUtils.isNullOrEmpty(region) ? Regions.US_EAST_1 : Regions.fromName(region); if (StringUtils.isNullOrEmpty(roleArn)) { return AmazonS3ClientBuilder.standard().withRegion(awsRegion).build(); } else { final AssumeRoleRequest assumeRole = new AssumeRoleRequest().withRoleArn(roleArn).withRoleSessionName("io-klerch-mp3-converter"); final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion(awsRegion).build(); final Credentials credentials = sts.assumeRole(assumeRole).getCredentials(); final BasicSessionCredentials sessionCredentials = new BasicSessionCredentials( credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken()); return AmazonS3ClientBuilder.standard().withRegion(awsRegion).withCredentials(new AWSStaticCredentialsProvider(sessionCredentials)).build(); } }
@Test public void provideSecurityTokenService_whenAwsStsRoleArnIsSet() { context = new AnnotationConfigApplicationContext(); addEnvironment(context, "zipkin.collector.sqs.queue-url:" + sqsRule.queueUrl()); addEnvironment(context, "zipkin.collector.sqs.wait-time-seconds:1"); addEnvironment(context, "zipkin.collector.sqs.aws-access-key-id: x"); addEnvironment(context, "zipkin.collector.sqs.aws-secret-access-key: x"); addEnvironment(context, "zipkin.collector.sqs.aws-sts-role-arn: test"); context.register(PropertyPlaceholderAutoConfiguration.class, Region.class, ZipkinSQSCollectorAutoConfiguration.class, ZipkinSQSCredentialsAutoConfiguration.class, InMemoryConfiguration.class); context.refresh(); assertThat(context.getBean(SQSCollector.class)).isNotNull(); assertThat(context.getBean(AWSSecurityTokenService.class)).isNotNull(); assertThat(context.getBean(AWSCredentialsProvider.class)).isInstanceOf(STSAssumeRoleSessionCredentialsProvider.class); }
@Test public void kinesisCollectorConfiguredForAWSWithGivenCredentials() { addEnvironment(context, "zipkin.collector.kinesis.stream-name: zipkin-test"); addEnvironment(context, "zipkin.collector.kinesis.app-name: zipkin"); addEnvironment(context, "zipkin.collector.kinesis.aws-access-key-id: x"); addEnvironment(context, "zipkin.collector.kinesis.aws-secret-access-key: x"); addEnvironment(context, "zipkin.collector.kinesis.aws-sts-role-arn: test"); context.register(PropertyPlaceholderAutoConfiguration.class, ZipkinKinesisCollectorAutoConfiguration.class, ZipkinKinesisCredentialsAutoConfiguration.class, InMemoryConfiguration.class); context.refresh(); assertThat(context.getBean(KinesisCollector.class)).isNotNull(); assertThat(context.getBean(AWSSecurityTokenService.class)).isNotNull(); assertThat(context.getBean(AWSCredentialsProvider.class)).isInstanceOf(STSAssumeRoleSessionCredentialsProvider.class); }
@Override public AWSCredentialsProvider get() { List<AWSCredentialsProvider> providers = new ArrayList<>(); if (!isNullOrEmpty(config.getAwsAccessKey()) && !isNullOrEmpty(config.getAwsSecretKey())) { providers.add(new BasicAWSCredentialsProvider(config.getAwsAccessKey(), config.getAwsSecretKey())); } providers.add(new DefaultAWSCredentialsProviderChain()); if (!isNullOrEmpty(config.getStsRoleArn())) { final AWSSecurityTokenService sts = securityTokenService(new AWSCredentialsProviderChain(providers)); return new STSAssumeRoleSessionCredentialsProvider.Builder(config.getStsRoleArn(), "ratpack-sqs") .withStsClient(sts) .build(); } return new AWSCredentialsProviderChain( providers.toArray(new AWSCredentialsProvider[providers.size()]) ); }
@Inject public ConfigStore(final AmazonS3 s3Client, final CloudFormationService cloudFormationService, final IdentityManagementService iamService, final AWSSecurityTokenService securityTokenService, final EnvironmentMetadata environmentMetadata, @Named(CONFIG_OBJECT_MAPPER) final ObjectMapper configObjectMapper, @Named(CF_OBJECT_MAPPER) final ObjectMapper cloudFormationObjectMapper) { this.cloudFormationService = cloudFormationService; this.iamService = iamService; this.configObjectMapper = configObjectMapper; this.cloudFormationObjectMapper = cloudFormationObjectMapper; this.s3Client = s3Client; this.environmentMetadata = environmentMetadata; this.securityTokenService = securityTokenService; }
private AWSCredentialsProvider buildCredentialsProvider(final AWSCredentials credentials, final String region, final String assumeRole) { AWSCredentialsProvider credentialsProvider = new AWSStaticCredentialsProvider(credentials); if (isNullOrEmpty(assumeRole)) { return credentialsProvider; } else { // STS requires a region; fall back on the SDK default if not set String stsRegion; if (isNullOrEmpty(region)) { stsRegion = defaultRegion(); } else { stsRegion = region; } AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard() .withRegion(stsRegion) .withCredentials(credentialsProvider).build(); return new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRole, "nexus-s3-session") .withStsClient(securityTokenService) .build(); } }
public static String getAccount(AWSCredentialsProvider awsCredentialsProvider, ClientConfiguration clientConfiguration) { AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(awsCredentialsProvider) .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration)) .withRegion(RegionResolver.getRegion()) .build(); GetCallerIdentityRequest request = new GetCallerIdentityRequest(); GetCallerIdentityResult result = client.getCallerIdentity(request); return result.getAccount(); }
private AWSCredentialsProvider assumeRole(AWSCredentialsProvider longLivedAWSCredentials, ClientConfiguration clientConfiguration, String assumeRoleArn) { AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(longLivedAWSCredentials) .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration)) .withRegion(RegionResolver.getRegion()) .build(); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRoleArn, "strongbox-cli"); builder.withStsClient(client); return builder.build(); }
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */ @Bean @ConditionalOnMissingBean @Conditional(STSSetCondition.class) AWSSecurityTokenService securityTokenService(ZipkinSQSCollectorProperties properties) { return AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(getDefaultCredentialsProvider(properties)) .withRegion(properties.awsStsRegion) .build(); }
@Test public void provideCollectorComponent_whenSqsQueueUrlIsSet() { context = new AnnotationConfigApplicationContext(); addEnvironment(context, "zipkin.collector.sqs.queue-url:" + sqsRule.queueUrl()); addEnvironment(context, "zipkin.collector.sqs.wait-time-seconds:1"); addEnvironment(context, "zipkin.collector.sqs.aws-access-key-id: x"); addEnvironment(context, "zipkin.collector.sqs.aws-secret-access-key: x"); context.register(PropertyPlaceholderAutoConfiguration.class, Region.class, ZipkinSQSCollectorAutoConfiguration.class, ZipkinSQSCredentialsAutoConfiguration.class, InMemoryConfiguration.class); context.refresh(); assertThat(context.getBean(SQSCollector.class)).isNotNull(); assertThat(context.getBean(AWSCredentialsProvider.class)).isNotNull(); assertThatExceptionOfType(NoSuchBeanDefinitionException.class).isThrownBy(() -> context.getBean(AWSSecurityTokenService.class)); }
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */ @Bean @ConditionalOnMissingBean @Conditional(STSSetCondition.class) AWSSecurityTokenService securityTokenService(ZipkinKinesisCollectorProperties properties) { return AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(getDefaultCredentialsProvider(properties)) .withRegion(properties.awsStsRegion) .build(); }
private AWSSecurityTokenService securityTokenService(AWSCredentialsProvider credentialsProvider) { AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(credentialsProvider); if (config.stsEndpoint().isPresent()) { builder.withEndpointConfiguration( new AwsClientBuilder.EndpointConfiguration(config.getStsEndpoint(), config.getStsRegionName()) ); } else { builder.withRegion(config.getStsRegionName()); } return builder.build(); }
public AAWSTest() { super(); if (Config.has(Config.Key.IAM_ROLE_ARN)) { final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build(); this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN), IAM_SESSION_NAME).withStsClient(sts).build(); } else { this.credentialsProvider = new DefaultAWSCredentialsProviderChain(); } this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build(); this.iam = AmazonIdentityManagementClientBuilder.standard().withCredentials(this.credentialsProvider).build(); }
@Inject public SetBackupAdminPrincipalsOperation(ConfigStore configStore, AWSSecurityTokenService sts) { this.configStore = configStore; this.sts = sts; }
/** * Binds all the Amazon services used. */ @Override protected void configure() { final Region region = Region.getRegion(Regions.fromName(regionName)); bind(AmazonEC2.class).toInstance(createAmazonClientInstance(AmazonEC2Client.class, region)); bind(AmazonCloudFormation.class).toInstance(createAmazonClientInstance(AmazonCloudFormationClient.class, region)); bind(AmazonIdentityManagement.class).toInstance(createAmazonClientInstance(AmazonIdentityManagementClient.class, region)); bind(AWSKMS.class).toInstance(createAmazonClientInstance(AWSKMSClient.class, region)); bind(AmazonS3.class).toInstance(createAmazonClientInstance(AmazonS3Client.class, region)); bind(AmazonAutoScaling.class).toInstance(createAmazonClientInstance(AmazonAutoScalingClient.class, region)); bind(AWSSecurityTokenService.class).toInstance(createAmazonClientInstance(AWSSecurityTokenServiceClient.class, region)); bind(AWSLambda.class).toInstance(createAmazonClientInstance(AWSLambdaClient.class, region)); bind(AmazonSNS.class).toInstance(createAmazonClientInstance(AmazonSNSClient.class, region)); }
public AAWSTest() { super(); if (Config.has(Config.Key.IAM_ROLE_ARN)) { final AWSSecurityTokenService local = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build(); this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN), IAM_SESSION_NAME).withStsClient(local).build(); } else { this.credentialsProvider = new DefaultAWSCredentialsProviderChain(); } this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build(); this.route53 = AmazonRoute53ClientBuilder.standard().withCredentials(this.credentialsProvider).build(); this.s3 = AmazonS3ClientBuilder.standard().withCredentials(this.credentialsProvider).build(); this.sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(this.credentialsProvider).build(); }
/** * Resolve AWS credentials based on MFA/Assume role * * We will assume that if mfa_serial is defined, then role_arn and source_profile also has to be specified. * * Please note that Strongbox differ from the AWS CLI in the following: * AWS CLI: 'Note that configuration variables for using IAM roles can only be in the AWS CLI config file.' * Strongbox: '--assume-role' can be specified explicitly * * https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles */ private AWSCredentials assumeRole(ClientConfiguration clientConfiguration, ConfigProviderChain configProvider, ProfileIdentifier profile, RoleARN roleToAssume) { Optional<ProfileIdentifier> sourceProfile = configProvider.getSourceProfile(profile); if (!sourceProfile.isPresent()) { throw new IllegalStateException(String.format("'%s' must be specified when using '%s' for profile '%s'", AWSConfigPropertyKey.SOURCE_PROFILE, AWSConfigPropertyKey.ROLE_ARN, profile.name)); } SessionCache sessionCache = new SessionCache(profile, roleToAssume); Optional<BasicSessionCredentials> cachedCredentials = sessionCache.load(); if (cachedCredentials.isPresent()) { return cachedCredentials.get(); } else { AWSCredentialsProvider staticCredentialsProvider = new AWSStaticCredentialsProvider(getStaticCredentials(configProvider, sourceProfile.get())); AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(staticCredentialsProvider) .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration)) .withRegion(RegionResolver.getRegion()) .build(); String sessionId = String.format("strongbox-cli-session-%s", ZonedDateTime.now().toEpochSecond()); AssumeRoleRequest request = new AssumeRoleRequest(); request.withRoleArn(roleToAssume.toArn()) .withRoleSessionName(sessionId); Optional<String> mfaSerial = configProvider.getMFASerial(profile); if (mfaSerial.isPresent()) { MFAToken mfaToken = mfaTokenSupplier.get(); request.withSerialNumber(mfaSerial.get()) .withTokenCode(mfaToken.value); } AssumeRoleResult result = client.assumeRole(request); Credentials credentials = result.getCredentials(); BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken()); sessionCache.save(result.getAssumedRoleUser(), basicSessionCredentials, ZonedDateTime.ofInstant(credentials.getExpiration().toInstant(), ZoneId.of("UTC"))); return basicSessionCredentials; } }
public AwsMetadataService(AWSSecurityTokenService tokenService) { this.tokenService = tokenService; }
public AssumedSessionCredentialsFactoryBean( AWSSecurityTokenService sts, AgentConfig config ) { this.sts = sts; this.assumedRoleArn = config.getControllerRoleArn(); }
