@Test public void provideSecurityTokenService_whenAwsStsRoleArnIsSet() { context = new AnnotationConfigApplicationContext(); addEnvironment(context, "zipkin.collector.sqs.queue-url:" + sqsRule.queueUrl()); addEnvironment(context, "zipkin.collector.sqs.wait-time-seconds:1"); addEnvironment(context, "zipkin.collector.sqs.aws-access-key-id: x"); addEnvironment(context, "zipkin.collector.sqs.aws-secret-access-key: x"); addEnvironment(context, "zipkin.collector.sqs.aws-sts-role-arn: test"); context.register(PropertyPlaceholderAutoConfiguration.class, Region.class, ZipkinSQSCollectorAutoConfiguration.class, ZipkinSQSCredentialsAutoConfiguration.class, InMemoryConfiguration.class); context.refresh(); assertThat(context.getBean(SQSCollector.class)).isNotNull(); assertThat(context.getBean(AWSSecurityTokenService.class)).isNotNull(); assertThat(context.getBean(AWSCredentialsProvider.class)).isInstanceOf(STSAssumeRoleSessionCredentialsProvider.class); }
@Test public void kinesisCollectorConfiguredForAWSWithGivenCredentials() { addEnvironment(context, "zipkin.collector.kinesis.stream-name: zipkin-test"); addEnvironment(context, "zipkin.collector.kinesis.app-name: zipkin"); addEnvironment(context, "zipkin.collector.kinesis.aws-access-key-id: x"); addEnvironment(context, "zipkin.collector.kinesis.aws-secret-access-key: x"); addEnvironment(context, "zipkin.collector.kinesis.aws-sts-role-arn: test"); context.register(PropertyPlaceholderAutoConfiguration.class, ZipkinKinesisCollectorAutoConfiguration.class, ZipkinKinesisCredentialsAutoConfiguration.class, InMemoryConfiguration.class); context.refresh(); assertThat(context.getBean(KinesisCollector.class)).isNotNull(); assertThat(context.getBean(AWSSecurityTokenService.class)).isNotNull(); assertThat(context.getBean(AWSCredentialsProvider.class)).isInstanceOf(STSAssumeRoleSessionCredentialsProvider.class); }
public static AWSCredentialsProviderChain getAWSCredentialsProviderChain() { String cerberusRoleToAssume = System.getenv(CERBERUS_ASSUME_ROLE_ARN) != null ? System.getenv(CERBERUS_ASSUME_ROLE_ARN) : ""; String cerberusRoleToAssumeExternalId = System.getenv(CERBERUS_ASSUME_ROLE_EXTERNAL_ID) != null ? System.getenv(CERBERUS_ASSUME_ROLE_EXTERNAL_ID) : ""; STSAssumeRoleSessionCredentialsProvider sTSAssumeRoleSessionCredentialsProvider = new STSAssumeRoleSessionCredentialsProvider .Builder(cerberusRoleToAssume, UUID.randomUUID().toString()) .withExternalId(cerberusRoleToAssumeExternalId) .build(); AWSCredentialsProviderChain chain = new AWSCredentialsProviderChain( new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(), new ProfileCredentialsProvider(), sTSAssumeRoleSessionCredentialsProvider, new InstanceProfileCredentialsProvider()); return chain; }
private AWSCredentialsProvider buildCredentialsProvider(final AWSCredentials credentials, final String region, final String assumeRole) { AWSCredentialsProvider credentialsProvider = new AWSStaticCredentialsProvider(credentials); if (isNullOrEmpty(assumeRole)) { return credentialsProvider; } else { // STS requires a region; fall back on the SDK default if not set String stsRegion; if (isNullOrEmpty(region)) { stsRegion = defaultRegion(); } else { stsRegion = region; } AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard() .withRegion(stsRegion) .withCredentials(credentialsProvider).build(); return new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRole, "nexus-s3-session") .withStsClient(securityTokenService) .build(); } }
public AWSDeviceFarmClient initializeApiClient(final DeviceFarmExtension extension) { final String roleArn = extension.getAuthentication().getRoleArn(); AWSCredentials credentials = extension.getAuthentication(); if (roleArn != null) { final STSAssumeRoleSessionCredentialsProvider sts = new STSAssumeRoleSessionCredentialsProvider .Builder(roleArn, RandomStringUtils.randomAlphanumeric(8)) .build(); credentials = sts.getCredentials(); } final ClientConfiguration clientConfiguration = new ClientConfiguration() .withUserAgent(String.format(extension.getUserAgent(), pluginVersion)); AWSDeviceFarmClient apiClient = new AWSDeviceFarmClient(credentials, clientConfiguration); apiClient.setServiceNameIntern("devicefarm"); if (extension.getEndpointOverride() != null) { apiClient.setEndpoint(extension.getEndpointOverride()); } return apiClient; }
@PostConstruct public void init() { // TODO // this parameters have to be configurable cache = CacheBuilder.newBuilder() .maximumSize(500) .expireAfterAccess(50, TimeUnit.MINUTES) .removalListener((RemovalNotification<Key<?>, AmazonWebServiceClient> notification) -> { logger.debug("Shutting down expired client for key: {}", notification.getKey()); notification.getValue().shutdown(); }).build(new CacheLoader<Key<?>, AmazonWebServiceClient>() { @Override public AmazonWebServiceClient load(@Nonnull final Key<?> key) throws Exception { logger.debug("CacheLoader active for Key : {}", key); return key.region.createClient( key.type, new STSAssumeRoleSessionCredentialsProvider( buildRoleArn(key.accountId), ROLE_SESSION_NAME), new ClientConfiguration().withMaxErrorRetry(MAX_ERROR_RETRY)); } }); }
public AWSCredentialsProvider getCredentialsProvider() { AWSCredentialsProvider credentialsProviderChain = new DefaultAWSCredentialsProviderChain(this.config); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY) && config.getBoolean(GobblinAWSConfigurationKeys.CLIENT_ASSUME_ROLE_KEY)) { String roleArn = config.getString(GobblinAWSConfigurationKeys.CLIENT_ROLE_ARN_KEY); String sessionId = config.getString(GobblinAWSConfigurationKeys.CLIENT_SESSION_ID_KEY); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, sessionId) .withLongLivedCredentialsProvider(credentialsProviderChain); if (config.hasPath(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)) { builder.withExternalId(config.getString(GobblinAWSConfigurationKeys.CLIENT_EXTERNAL_ID_KEY)); } if (config.hasPath(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL)) { builder.withRoleSessionDurationSeconds( (int) TimeUnit.MINUTES.toSeconds(config.getLong(GobblinAWSConfigurationKeys.CREDENTIALS_REFRESH_INTERVAL))); } credentialsProviderChain = builder.build(); } return credentialsProviderChain; }
public AssumedRoleTestContext(AWSCredentialsProvider awsCredentials, Region testRegion, String roleSuffix) { iamHelper = new IAMHelper(awsCredentials, testRegion); roleName = ROLE_PREFIX + roleSuffix; roleArn = iamHelper.createOrGetRole(roleName); principal = new Principal(PrincipalType.ROLE, roleName); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, "mysession"); assumedAWSCredentials = builder.build(); secretGroupManager = new DefaultSecretsGroupManager(assumedAWSCredentials); }
private AWSCredentialsProvider assumeRole(AWSCredentialsProvider longLivedAWSCredentials, ClientConfiguration clientConfiguration, String assumeRoleArn) { AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(longLivedAWSCredentials) .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration)) .withRegion(RegionResolver.getRegion()) .build(); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRoleArn, "strongbox-cli"); builder.withStsClient(client); return builder.build(); }
/** By default, get credentials from the {@link DefaultAWSCredentialsProviderChain */ @Bean @ConditionalOnMissingBean AWSCredentialsProvider credentialsProvider(ZipkinSQSCollectorProperties properties) { if (securityTokenService != null) { return new STSAssumeRoleSessionCredentialsProvider.Builder(properties.awsStsRoleArn, "zipkin-server") .withStsClient(securityTokenService) .build(); } else { return getDefaultCredentialsProvider(properties); } }
/** By default, get credentials from the {@link DefaultAWSCredentialsProviderChain */ @Bean @ConditionalOnMissingBean AWSCredentialsProvider credentialsProvider(ZipkinKinesisCollectorProperties properties) { if (securityTokenService != null) { return new STSAssumeRoleSessionCredentialsProvider.Builder(properties.awsStsRoleArn, "zipkin-server") .withStsClient(securityTokenService) .build(); } else { return getDefaultCredentialsProvider(properties); } }
public void setRoleToAssumeArn(String roleToAssumeArn) { this.roleToAssumeArn = roleToAssumeArn; if(!Validator.isBlank(roleToAssumeArn)) { String sessionId = "session" + Math.random(); STSAssumeRoleSessionCredentialsProvider remoteAccountCredentials = new STSAssumeRoleSessionCredentialsProvider(credentials, roleToAssumeArn, sessionId); credentials = remoteAccountCredentials; } }
/** * Private AWSDeviceFarm constructor. Uses the roleArn to generate STS creds if the roleArn isn't null; otherwise * just uses the AWSCredentials creds. * * @param creds AWSCredentials creds to use for authentication. * @param roleArn Role ARN to use for authentication. */ private AWSDeviceFarm(AWSCredentials creds, String roleArn) { if (roleArn != null) { STSAssumeRoleSessionCredentialsProvider sts = new STSAssumeRoleSessionCredentialsProvider .Builder(roleArn, RandomStringUtils.randomAlphanumeric(8)) .build(); creds = sts.getCredentials(); } ClientConfiguration clientConfiguration = new ClientConfiguration().withUserAgent("AWS Device Farm - Jenkins v1.0"); api = new AWSDeviceFarmClient(creds, clientConfiguration); api.setServiceNameIntern("devicefarm"); }
public DefaultSimpleSecretsGroup(final SecretsGroupIdentifier groupIdentifier, final RoleARN role) { AWSCredentialsProvider assumedAWSCredentials = new STSAssumeRoleSessionCredentialsProvider.Builder(role.toArn(), SessionName.getSessionName("StrongboxSDK")).build(); DefaultSecretsGroupManager secretsGroupManager = new DefaultSecretsGroupManager(assumedAWSCredentials); secretsGroup = secretsGroupManager.get(groupIdentifier); }
public void createClient() { final AmazonEC2Client client = region.createClient( AmazonEC2Client.class, new STSAssumeRoleSessionCredentialsProvider("", ""), null); }
