Java Code Examples for com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient#assumeRole()
The following examples show how to use
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient#assumeRole() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: AWSClients.java From aws-codedeploy-plugin with Apache License 2.0 | 6 votes |
|
private static AWSCredentials getCredentials(String iamRole, String externalId) {
if (isEmpty(iamRole)) return null;
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient();
int credsDuration = (int) (AWSCodeDeployPublisher.DEFAULT_TIMEOUT_SECONDS
* AWSCodeDeployPublisher.DEFAULT_POLLING_FREQUENCY_SECONDS);
if (credsDuration > 3600) {
credsDuration = 3600;
}
AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
.withRoleArn(iamRole)
.withExternalId(externalId)
.withDurationSeconds(credsDuration)
.withRoleSessionName(AWSCodeDeployPublisher.ROLE_SESSION_NAME)
);
Credentials stsCredentials = assumeRoleResult.getCredentials();
BasicSessionCredentials credentials = new BasicSessionCredentials(
stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken()
);
return credentials;
}
Example 2
| Source File: StsOperationsImpl.java From herd with Apache License 2.0 | 5 votes |
|
@Override
public AssumeRoleResult assumeRole(AWSSecurityTokenServiceClient awsSecurityTokenServiceClient, AssumeRoleRequest assumeRoleRequest)
{
return awsSecurityTokenServiceClient.assumeRole(assumeRoleRequest);
}
Example 3
| Source File: AWSSessionCredentialsFactory.java From digdag with Apache License 2.0 | 5 votes |
|
public BasicSessionCredentials get()
{
AWSCredentials baseCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
List<Statement> statements = new ArrayList<>();
acceptableUris.forEach(acceptableUri -> {
Mode mode = acceptableUri.mode;
String uri = acceptableUri.uri;
if (uri.startsWith(URI_S3_PREFIX)) {
String s3BucketAndKeyStr = uri.substring(URI_S3_PREFIX.length());
String[] s3BucketAndKey = s3BucketAndKeyStr.split("/", 2);
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.ListObjects)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKey[0])));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.GetObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
case WRITE:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
}
}
else if (uri.startsWith(URI_DYNAMODB_PREFIX)) {
String table = uri.substring(URI_DYNAMODB_PREFIX.length());
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.DescribeTable)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.Scan)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
break;
case WRITE:
break;
}
}
else if (uri.startsWith(URI_EMR_PREFIX)) {
String cluster = uri.substring(URI_EMR_PREFIX.length());
// TODO: Grant minimum actions
statements.add(new Statement(Statement.Effect.Allow)
.withActions(ElasticMapReduceActions.AllElasticMapReduceActions)
.withResources(new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", cluster))));
}
else {
throw new IllegalArgumentException("Unexpected `uri`. uri=" + uri);
}
}
);
Policy policy = new Policy();
policy.setStatements(statements);
Credentials credentials;
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(baseCredentials);
if (roleArn != null && !roleArn.isEmpty()) {
// use STS to assume role
AssumeRoleResult assumeResult = stsClient.assumeRole(new AssumeRoleRequest()
.withRoleArn(roleArn)
.withDurationSeconds(durationSeconds)
.withRoleSessionName(sessionName)
.withPolicy(policy.toJson()));
credentials = assumeResult.getCredentials();
}
else {
// Maybe we'd better add an option command later like `without_federated_token`
GetFederationTokenRequest federationTokenRequest = new GetFederationTokenRequest()
.withDurationSeconds(durationSeconds)
.withName(sessionName)
.withPolicy(policy.toJson());
GetFederationTokenResult federationTokenResult =
stsClient.getFederationToken(federationTokenRequest);
credentials = federationTokenResult.getCredentials();
}
return new BasicSessionCredentials(
credentials.getAccessKeyId(),
credentials.getSecretAccessKey(),
credentials.getSessionToken());
}
