builder = new STSAssumeRoleSessionCredentialsProvider .Builder(assumeRoleArn, assumeRoleName) .withStsClient(securityTokenService) .withRoleSessionDurationSeconds(maxSessionTime); builder = builder.withExternalId(assumeRoleExternalId); final AWSCredentialsProvider credsProvider = builder.build();
public AWSCredentialsProvider getCredentialsProvider() { AWSCredentialsProvider credentialsProviderChain = new DefaultAWSCredentialsProviderChain(this.config); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY) && config.getBoolean(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY)) { String roleArn = config.getString(GobblinAWSConfigurationKeys.CLIENT_ROLE_ARN_KEY); String sessionId = config.getString(GobblinAWSConfigurationKeys.CLIENT_SESSION_ID_KEY); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionId) .withLongLivedCredentialsProvider(credentialsProviderChain); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)) { builder.withExternalId(config.getString(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)); } if (config.hasPath(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL)) { builder.withRoleSessionDurationSeconds( (int) TimeUnit.MINUTES.toSeconds(config.getLong(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL))); } credentialsProviderChain = builder.build(); } return credentialsProviderChain; }
= new STSAssumeRoleSessionCredentialsProvider.Builder(arn, sessionName); builder.withRoleSessionDurationSeconds((int) duration); if (StringUtils.isNotEmpty(policy)) { LOG.debug("Scope down policy {}", policy); builder.withScopeDownPolicy(policy); builder.withStsClient(stsbuilder.build()); stsProvider = builder.build();
if (args.length > 0) { AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().build(); credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(args[0], "mercator-demo-" + System.getProperty("user.name")).withStsClient(sts).build();
builder = new STSAssumeRoleSessionCredentialsProvider .Builder(assumeRoleArn, assumeRoleName) .withStsClient(securityTokenService) .withRoleSessionDurationSeconds(maxSessionTime); builder = builder.withExternalId(assumeRoleExternalId); final AWSCredentialsProvider credsProvider = builder.build();
/** * This is more of a testing convenience than anything else. Credentials are * loaded using the DefaultAWSCredentialsProviderChain, and then an alternate * role is assumed. * * @param roleArn * the role that we are assuming. * @param sessionName * the session name is user-chosen...usefull for auditing/logging * @return */ public AWSScannerBuilder withAssumeRoleCredentials(String roleArn, String sessionName) { // If we wanted to be able to use a different credentials provider, we could. We // would just need to initialize a // AWSSecurityTokenService and pass it to the // STSAssumeRoleSessionCredentialsProvier.Builder. I am leaving the code here // just for reference, because // it is really easy to forget. // AWSSecurityTokenService sts = // AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new // DefaultAWSCredentialsProviderChain()).build(); AWSCredentialsProvider p = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionName).build(); return withCredentials(p); }
private AWSCredentialsProviderChain getCredentialsProvier() { AWSCredentialsProviderChain credentials = null; if (specifyCredentials) { credentials = new AWSCredentialsProviderChain(new BasicAWSCredentialsProvider(accessKey, secretKey), new DefaultAWSCredentialsProviderChain(), new AnonymousAWSCredentialsProvider()); } else { // do not be polluted by hidden accessKey/secretKey credentials = new AWSCredentialsProviderChain(new DefaultAWSCredentialsProviderChain(), new AnonymousAWSCredentialsProvider()); } if (specifySTS) { STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, roleSessionName) .withLongLivedCredentialsProvider(credentials); if (specifyRoleExternalId) { builder = builder.withExternalId(roleExternalId); } if (specifySTSEndpoint) { builder = builder.withServiceEndpoint(stsEndpoint); } credentials = new AWSCredentialsProviderChain(builder.build()); } return credentials; }
private AWSCredentialsProviderChain getCredentialsProvier() { AWSCredentialsProviderChain credentials = null; if (specifyCredentials) { credentials = new AWSCredentialsProviderChain(new BasicAWSCredentialsProvider(accessKey, secretKey), new DefaultAWSCredentialsProviderChain(), new AnonymousAWSCredentialsProvider()); } else { // do not be polluted by hidden accessKey/secretKey credentials = new AWSCredentialsProviderChain(new DefaultAWSCredentialsProviderChain(), new AnonymousAWSCredentialsProvider()); } if (specifySTS) { STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, roleSessionName) .withLongLivedCredentialsProvider(credentials); if (specifyRoleExternalId) { builder = builder.withExternalId(roleExternalId); } if (specifySTSEndpoint) { builder = builder.withServiceEndpoint(stsEndpoint); } credentials = new AWSCredentialsProviderChain(builder.build()); } return credentials; }
private AmazonS3 buildS3Client(final S3ClientKey s3ClientKey) { // TODO: Do something about allowing ClientConfiguration to be passed in return AmazonS3ClientBuilder .standard() .withRegion(s3ClientKey.getRegion()) .withForceGlobalBucketAccessEnabled(true) .withCredentials( s3ClientKey .getRoleARN() .map( roleARN -> { // TODO: Perhaps rename with more detailed info? final String roleSession = "Genie-Agent-" + UUID.randomUUID().toString(); return (AWSCredentialsProvider) new STSAssumeRoleSessionCredentialsProvider .Builder(roleARN, roleSession) .withStsClient(this.stsClient) .build(); } ) .orElse(this.awsCredentialsProvider) ) .build(); }
/** * Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified long * lived AWS credentials to make a request to the AWS Security Token Service (STS), uses the * provided {@link #roleArn} to assume a role and then request short lived session credentials, * which will then be returned by this class's {@link #getCredentials()} method. * * @param longLivedCredentials The main AWS credentials for a user's account. * @param roleArn The ARN of the Role to be assumed. * @param roleSessionName An identifier for the assumed role session. * @param clientConfiguration Client configuration connection parameters. * @deprecated Use the {@link Builder} instead. */ @Deprecated public STSAssumeRoleSessionCredentialsProvider(AWSCredentials longLivedCredentials, String roleArn, String roleSessionName, ClientConfiguration clientConfiguration) { this(new Builder(roleArn, roleSessionName).withLongLivedCredentials(longLivedCredentials) .withClientConfiguration(clientConfiguration)); }
/** * Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified * credentials provider (which vends long lived AWS credentials) to make a request to the AWS * Security Token Service (STS), uses the provided {@link #roleArn} to assume a role and then * request short lived session credentials, which will then be returned by this class's {@link * #getCredentials()} method. * * @param longLivedCredentialsProvider Credentials provider for the main AWS credentials for a * user's account. * @param roleArn The ARN of the Role to be assumed. * @param roleSessionName An identifier for the assumed role session. * @param clientConfiguration Client configuration connection parameters. * @deprecated Use the {@link Builder} instead. */ @Deprecated public STSAssumeRoleSessionCredentialsProvider( AWSCredentialsProvider longLivedCredentialsProvider, String roleArn, String roleSessionName, ClientConfiguration clientConfiguration) { this(new Builder(roleArn, roleSessionName) .withLongLivedCredentialsProvider(longLivedCredentialsProvider) .withClientConfiguration(clientConfiguration)); }
/** * Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified * credentials provider (which vends long lived AWS credentials) to make a request to the AWS * Security Token Service (STS), usess the provided {@link #roleArn} to assume a role and then * request short lived session credentials, which will then be returned by this class's {@link * #getCredentials()} method. * * @param longLivedCredentialsProvider Credentials provider for the main AWS credentials for a * user's account. * @param roleArn The ARN of the Role to be assumed. * @param roleSessionName An identifier for the assumed role session. * @deprecated Use the {@link Builder} instead. */ @Deprecated public STSAssumeRoleSessionCredentialsProvider( AWSCredentialsProvider longLivedCredentialsProvider, String roleArn, String roleSessionName) { this(new Builder(roleArn, roleSessionName) .withLongLivedCredentialsProvider(longLivedCredentialsProvider)); }
@Override public CacheValue load(@Nonnull final Key<?> key) { log.debug("Creating a new AmazonWebServiceClient client for {}", key); final STSAssumeRoleSessionCredentialsProvider tempCredentials = new STSAssumeRoleSessionCredentialsProvider .Builder(buildRoleArn(key.accountId), ROLE_SESSION_NAME).withStsClient(awsSecurityTokenService) .build(); final String builderName = key.type.getName() + "Builder"; final Class<?> className = ClassUtils.resolveClassName(builderName, ClassUtils.getDefaultClassLoader()); final Method method = ClassUtils.getStaticMethod(className, "standard"); Assert.notNull(method, "Could not find standard() method in class:'" + className.getName() + "'"); final AwsClientBuilder<?, ?> builder = (AwsClientBuilder<?, ?>) ReflectionUtils.invokeMethod(method, null); builder.withCredentials(tempCredentials); builder.withRegion(key.region.getName()); builder.withClientConfiguration(new ClientConfiguration().withMaxErrorRetry(MAX_ERROR_RETRY)); final AmazonWebServiceClient client = (AmazonWebServiceClient) builder.build(); return new CacheValue(client, tempCredentials); } };
public AWSCredentialsProvider getCredentialsProvider() { AWSCredentialsProvider credentialsProviderChain = new DefaultAWSCredentialsProviderChain(this.config); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY) && config.getBoolean(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY)) { String roleArn = config.getString(GobblinAWSConfigurationKeys.CLIENT_ROLE_ARN_KEY); String sessionId = config.getString(GobblinAWSConfigurationKeys.CLIENT_SESSION_ID_KEY); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionId) .withLongLivedCredentialsProvider(credentialsProviderChain); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)) { builder.withExternalId(config.getString(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)); } if (config.hasPath(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL)) { builder.withRoleSessionDurationSeconds( (int) TimeUnit.MINUTES.toSeconds(config.getLong(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL))); } credentialsProviderChain = builder.build(); } return credentialsProviderChain; }
public static AWSCredentialsProvider createCredentialsProvider( final boolean useInstanceProfileForCredentials, final String credentialsId, final String roleArn, final String roleSessionName, final String region) { AWSCredentialsProvider provider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId); if (StringUtils.isNotEmpty(roleArn) && StringUtils.isNotEmpty(roleSessionName)) { return new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, roleSessionName) .withStsClient(AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(provider) .withRegion(region) .withClientConfiguration(createClientConfiguration(convertHostName(region))) .build()) .build(); } return provider; }
public AWSCredentialsProvider getCredentialsProvider() { AWSCredentialsProvider credentialsProviderChain = new DefaultAWSCredentialsProviderChain(this.config); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY) && config.getBoolean(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY)) { String roleArn = config.getString(GobblinAWSConfigurationKeys.CLIENT_ROLE_ARN_KEY); String sessionId = config.getString(GobblinAWSConfigurationKeys.CLIENT_SESSION_ID_KEY); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionId) .withLongLivedCredentialsProvider(credentialsProviderChain); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)) { builder.withExternalId(config.getString(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)); } if (config.hasPath(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL)) { builder.withRoleSessionDurationSeconds( (int) TimeUnit.MINUTES.toSeconds(config.getLong(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL))); } credentialsProviderChain = builder.build(); } return credentialsProviderChain; }
/** * Private AWSDeviceFarm constructor. Uses the roleArn to generate STS creds if the roleArn isn't null; otherwise * just uses the AWSCredentials creds. * * @param creds AWSCredentials creds to use for authentication. * @param roleArn Role ARN to use for authentication. */ private AWSDeviceFarm(AWSCredentials creds, String roleArn) { if (roleArn != null) { STSAssumeRoleSessionCredentialsProvider sts = new STSAssumeRoleSessionCredentialsProvider .Builder(roleArn, RandomStringUtils.randomAlphanumeric(8)) .build(); creds = sts.getCredentials(); } ClientConfiguration clientConfiguration = new ClientConfiguration().withUserAgent("AWS Device Farm - Jenkins v1.0"); api = new AWSDeviceFarmClient(creds, clientConfiguration); api.setServiceNameIntern("devicefarm"); }
STSAssumeRoleSessionCredentialsProvider stscred = new STSAssumeRoleSessionCredentialsProvider( new STSAssumeRoleSessionCredentialsProvider.Builder("arn:aws:iam::093937234853:role/CapOne-CrossAccount-CustomRole-ReadOnly","123"), clientConf);
public STSAssumeRoleSessionCredentialsProvider getSTSAssumeRoleSessionCredentialsProvider( String roleARN, AWSCredentialsProvider credentialsProvider) { Preconditions.checkNotNull(credentialsProvider); final String stsEndpoint = stsEndpoint(); final String roleExternalId = readString(ASSUME_ROLE_EXTERNAL_ID, null); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleARN, ASSUME_ROLE_SESSION) .withLongLivedCredentialsProvider(credentialsProvider) .withRoleSessionDurationSeconds(DEFAULT_ASSUME_ROLE_DURATION_SECONDS); if (!Strings.isNullOrEmpty(roleExternalId)) { builder = builder.withExternalId(roleExternalId); } if (!Strings.isNullOrEmpty(stsEndpoint)) { builder = builder.withServiceEndpoint(stsEndpoint); } return builder.build(); }
/** * Constructs a new STSAssumeRoleSessionCredentialsProvider, which makes a request to the AWS * Security Token Service (STS), uses the provided {@link #roleArn} to assume a role and then * request short lived session credentials, which will then be returned by this class's {@link * #getCredentials()} method. * * @param roleArn The ARN of the Role to be assumed. * @param roleSessionName An identifier for the assumed role session. * @deprecated Use the {@link Builder} instead. */ @Deprecated public STSAssumeRoleSessionCredentialsProvider(String roleArn, String roleSessionName) { this(new Builder(roleArn, roleSessionName)); }