/** * Get generated CMS properties that are not set by the user * @return - System configured properties */ public Properties getCmsSystemProperties() { final BaseOutputs baseOutputs = getBaseStackOutputs(); final BaseParameters baseParameters = getBaseStackParameters(); final VaultParameters vaultParameters = getVaultStackParamters(); final Optional<String> cmsVaultToken = getCmsVaultToken(); final Optional<String> cmsDatabasePassword = getCmsDatabasePassword(); final GetCallerIdentityResult callerIdentity = securityTokenService.getCallerIdentity( new GetCallerIdentityRequest()); final String rootUserArn = String.format("arn:aws:iam::%s:root", callerIdentity.getAccount()); final Properties properties = new Properties(); properties.put(VAULT_ADDR_KEY, String.format("https://%s", cnameToHost(vaultParameters.getCname()))); properties.put(VAULT_TOKEN_KEY, cmsVaultToken.get()); properties.put(ROOT_USER_ARN_KEY, rootUserArn); properties.put(ADMIN_ROLE_ARN_KEY, baseParameters.getAccountAdminArn()); properties.put(CMS_ROLE_ARN_KEY, baseOutputs.getCmsIamRoleArn()); properties.put(JDBC_URL_KEY, baseOutputs.getCmsDbJdbcConnectionString()); properties.put(JDBC_USERNAME_KEY, ConfigConstants.DEFAULT_CMS_DB_NAME); properties.put(JDBC_PASSWORD_KEY, cmsDatabasePassword.get()); return properties; }
public static String getAccount(AWSCredentialsProvider awsCredentialsProvider, ClientConfiguration clientConfiguration) { AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(awsCredentialsProvider) .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration)) .withRegion(RegionResolver.getRegion()) .build(); GetCallerIdentityRequest request = new GetCallerIdentityRequest(); GetCallerIdentityResult result = client.getCallerIdentity(request); return result.getAccount(); }
public boolean verifyInstanceIdentity(AWSAttestationData info, final String awsAccount) { GetCallerIdentityRequest req = new GetCallerIdentityRequest(); try { AWSSecurityTokenServiceClient client = getInstanceClient(info); if (client == null) { LOGGER.error("verifyInstanceIdentity - unable to get AWS STS client object"); return false; } GetCallerIdentityResult res = client.getCallerIdentity(req); if (res == null) { LOGGER.error("verifyInstanceIdentity - unable to get caller identity"); return false; } String arn = "arn:aws:sts::" + awsAccount + ":assumed-role/" + info.getRole() + "/"; if (!res.getArn().startsWith(arn)) { LOGGER.error("verifyInstanceIdentity - ARN mismatch - request: {} caller-idenity: {}", arn, res.getArn()); return false; } return true; } catch (Exception ex) { LOGGER.error("CloudStore: verifyInstanceIdentity - unable get caller identity: {}", ex.getMessage()); return false; } }
@Override AWSSecurityTokenServiceClient getTokenServiceClient() { AWSSecurityTokenServiceClient client = Mockito.mock(AWSSecurityTokenServiceClient.class); Mockito.when(client.assumeRole(Mockito.any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); Mockito.when(client.getCallerIdentity(Mockito.any(GetCallerIdentityRequest.class))).thenReturn(callerIdentityResult); return client; }
public String getAccountId() { final GetCallerIdentityResult callerIdentity = tokenService.getCallerIdentity(new GetCallerIdentityRequest()); return callerIdentity.getAccount(); }
@Override public void run(SetBackupAdminPrincipalsCommand command) { GetCallerIdentityResult identityResult = sts.getCallerIdentity(new GetCallerIdentityRequest()); String accountId = identityResult.getAccount(); String rootArn = String.format("arn:aws:iam::%s:root", accountId); String adminRoleArn = configStore.getAccountAdminArn().get(); Set<String> principals = new HashSet<>(); principals.add(rootArn); principals.add(adminRoleArn); principals.addAll(command.getAdditionalPrincipals()); configStore.storeBackupAdminIamPrincipals(principals); if (! configStore.getRegionBackupBucketMap().isEmpty()) { configStore.getRegionBackupBucketMap().forEach((region, backupRegionInfo) -> { final List<Statement> statements = new LinkedList<>(); principals.forEach( principal -> { log.debug("Adding principal: {} to the CMK Policy for region {}", principal, region); statements.add(new Statement(Statement.Effect.Allow) .withId("Principal " + principal + " Has All Actions") .withPrincipals(new Principal(AWS_PROVIDER, principal, false)) .withActions(KMSActions.AllKMSActions) .withResources(new Resource("*"))); }); Policy kmsPolicy = new Policy(); kmsPolicy.setStatements(statements); String policyString = kmsPolicy.toJson(); log.debug("Updating key {} for region {} with policy {}", backupRegionInfo.getKmsCmkId(), region, policyString); AWSKMS kms = AWSKMSClient.builder().withCredentials(getAWSCredentialsProviderChain()).withRegion(region).build(); PutKeyPolicyRequest request = new PutKeyPolicyRequest() .withKeyId(backupRegionInfo.getKmsCmkId()) .withPolicyName("default") .withBypassPolicyLockoutSafetyCheck(true) .withPolicy(policyString); kms.putKeyPolicy(request); log.info("Successfully updated key {} in region {} to allow the following principals access {}", backupRegionInfo.getKmsCmkId(), region, String.join(", ", principals)); }); } }
protected final String getAccount() { return this.sts.getCallerIdentity(new GetCallerIdentityRequest()).getAccount(); }
