Java 类com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder 实例源码

public static AmazonS3 getS3Client(final String region, final String roleArn) {
    final Regions awsRegion = StringUtils.isNullOrEmpty(region) ? Regions.US_EAST_1 : Regions.fromName(region);

    if (StringUtils.isNullOrEmpty(roleArn)) {
        return AmazonS3ClientBuilder.standard().withRegion(awsRegion).build();
    } else {
        final AssumeRoleRequest assumeRole = new AssumeRoleRequest().withRoleArn(roleArn).withRoleSessionName("io-klerch-mp3-converter");

        final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion(awsRegion).build();
        final Credentials credentials = sts.assumeRole(assumeRole).getCredentials();

        final BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
                credentials.getAccessKeyId(),
                credentials.getSecretAccessKey(),
                credentials.getSessionToken());

        return AmazonS3ClientBuilder.standard().withRegion(awsRegion).withCredentials(new AWSStaticCredentialsProvider(sessionCredentials)).build();
    }
}

private AWSCredentialsProvider buildCredentialsProvider(final AWSCredentials credentials, final String region, final String assumeRole) {
  AWSCredentialsProvider credentialsProvider = new AWSStaticCredentialsProvider(credentials);
  if (isNullOrEmpty(assumeRole)) {
    return credentialsProvider;
  }
  else {
    // STS requires a region; fall back on the SDK default if not set
    String stsRegion;
    if (isNullOrEmpty(region)) {
      stsRegion = defaultRegion();
    }
    else {
      stsRegion = region;
    }
    AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard()
        .withRegion(stsRegion)
        .withCredentials(credentialsProvider).build();

    return new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRole, "nexus-s3-session")
        .withStsClient(securityTokenService)
        .build();
  }
}

public static String getAccount(AWSCredentialsProvider awsCredentialsProvider, ClientConfiguration clientConfiguration) {
    AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
        .withCredentials(awsCredentialsProvider)
        .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
        .withRegion(RegionResolver.getRegion())
        .build();
    GetCallerIdentityRequest request = new GetCallerIdentityRequest();
    GetCallerIdentityResult result = client.getCallerIdentity(request);

    return result.getAccount();
}

private AWSCredentialsProvider assumeRole(AWSCredentialsProvider longLivedAWSCredentials, ClientConfiguration clientConfiguration, String assumeRoleArn) {
    AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
            .withCredentials(longLivedAWSCredentials)
            .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
            .withRegion(RegionResolver.getRegion())
            .build();

    STSAssumeRoleSessionCredentialsProvider.Builder builder =
            new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRoleArn, "strongbox-cli");
    builder.withStsClient(client);

    return builder.build();
}

public FederatedUserCredentialsProvider(String region, String bucket) {
    tokenService = AWSSecurityTokenServiceClientBuilder
            .standard()
            .withRegion(region)
            .build();
    this.bucket = bucket;
    this.region = region;
}

public FederatedUserCredentialsProvider(String region, String bucket, AWSCredentialsProvider credentialsProvider) {
    tokenService = AWSSecurityTokenServiceClientBuilder
            .standard()
            .withCredentials(credentialsProvider)
            .withRegion(region)
            .build();
    this.bucket = bucket;
    this.region = region;
}

/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */
@Bean
@ConditionalOnMissingBean
@Conditional(STSSetCondition.class)
AWSSecurityTokenService securityTokenService(ZipkinSQSCollectorProperties properties) {
  return AWSSecurityTokenServiceClientBuilder.standard()
      .withCredentials(getDefaultCredentialsProvider(properties))
      .withRegion(properties.awsStsRegion)
      .build();
}

/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */
@Bean
@ConditionalOnMissingBean
@Conditional(STSSetCondition.class)
AWSSecurityTokenService securityTokenService(ZipkinKinesisCollectorProperties properties) {
  return AWSSecurityTokenServiceClientBuilder.standard()
      .withCredentials(getDefaultCredentialsProvider(properties))
      .withRegion(properties.awsStsRegion)
      .build();
}

private AWSSecurityTokenService securityTokenService(AWSCredentialsProvider credentialsProvider) {
    AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard()
        .withCredentials(credentialsProvider);

    if (config.stsEndpoint().isPresent()) {
        builder.withEndpointConfiguration(
            new AwsClientBuilder.EndpointConfiguration(config.getStsEndpoint(), config.getStsRegionName())
        );
    } else {
        builder.withRegion(config.getStsRegionName());
    }

    return builder.build();
}

public AAWSTest() {
    super();
    if (Config.has(Config.Key.IAM_ROLE_ARN)) {
        final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build();
        this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN), IAM_SESSION_NAME).withStsClient(sts).build();
    } else {
        this.credentialsProvider = new DefaultAWSCredentialsProviderChain();
    }
    this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
    this.iam = AmazonIdentityManagementClientBuilder.standard().withCredentials(this.credentialsProvider).build();
}

public AAWSTest() {
    super();
    if (Config.has(Config.Key.IAM_ROLE_ARN)) {
        final AWSSecurityTokenService local = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build();
        this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN), IAM_SESSION_NAME).withStsClient(local).build();
    } else {
        this.credentialsProvider = new DefaultAWSCredentialsProviderChain();
    }
    this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
    this.route53 = AmazonRoute53ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
    this.s3 = AmazonS3ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
    this.sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(this.credentialsProvider).build();
}

/**
 * Resolve AWS credentials based on MFA/Assume role
 *
 * We will assume that if mfa_serial is defined, then role_arn and source_profile also has to be specified.
 *
 * Please note that Strongbox differ from the AWS CLI in the following:
 * AWS CLI: 'Note that configuration variables for using IAM roles can only be in the AWS CLI config file.'
 * Strongbox: '--assume-role' can be specified explicitly
 *
 * https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
 */
private AWSCredentials assumeRole(ClientConfiguration clientConfiguration,
                                  ConfigProviderChain configProvider,
                                  ProfileIdentifier profile,
                                  RoleARN roleToAssume) {

    Optional<ProfileIdentifier> sourceProfile = configProvider.getSourceProfile(profile);
    if (!sourceProfile.isPresent()) {
        throw new IllegalStateException(String.format("'%s' must be specified when using '%s' for profile '%s'",
                AWSConfigPropertyKey.SOURCE_PROFILE,
                AWSConfigPropertyKey.ROLE_ARN,
                profile.name));
    }

    SessionCache sessionCache = new SessionCache(profile, roleToAssume);
    Optional<BasicSessionCredentials> cachedCredentials = sessionCache.load();

    if (cachedCredentials.isPresent()) {
        return cachedCredentials.get();
    } else {
        AWSCredentialsProvider staticCredentialsProvider = new AWSStaticCredentialsProvider(getStaticCredentials(configProvider, sourceProfile.get()));

        AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
                .withCredentials(staticCredentialsProvider)
                .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
                .withRegion(RegionResolver.getRegion())
                .build();

        String sessionId = String.format("strongbox-cli-session-%s", ZonedDateTime.now().toEpochSecond());

        AssumeRoleRequest request = new AssumeRoleRequest();
        request.withRoleArn(roleToAssume.toArn())
                .withRoleSessionName(sessionId);

        Optional<String> mfaSerial = configProvider.getMFASerial(profile);
        if (mfaSerial.isPresent()) {
            MFAToken mfaToken = mfaTokenSupplier.get();

            request.withSerialNumber(mfaSerial.get())
                    .withTokenCode(mfaToken.value);
        }

        AssumeRoleResult result = client.assumeRole(request);
        Credentials credentials = result.getCredentials();

        BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());

        sessionCache.save(result.getAssumedRoleUser(),
                basicSessionCredentials,
                ZonedDateTime.ofInstant(credentials.getExpiration().toInstant(), ZoneId.of("UTC")));

        return basicSessionCredentials;
    }
}