/* * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; using Amazon.Runtime; namespace AWSSDK_DotNet.IntegrationTests.Utils { public static class IAMTestUtil { private const string AssumeRolePolicyDocument = @"{ ""Statement"": [ { ""Principal"":{""AWS"":""{AccountId}""}, ""Effect"":""Allow"", ""Action"":[""sts:AssumeRole""]{Condition} } ] }"; private const string AssumeRoleExternalIdCondition = @", ""Condition"": { ""StringEquals"": { ""sts:ExternalId"": ""{ExternalId}"" } }"; private const string AllowListBucketsRolePolicyDocument = @"{ ""Statement"" : [ { ""Effect"" : ""Allow"", ""Action"": [ ""s3:ListAllMyBuckets"" ], ""Resource"" : ""*"" } ] }"; private const string AssumeRoleUserPolicyDocument = @"{ ""Statement"":{ ""Effect"":""Allow"", ""Action"":""sts:AssumeRole"", ""Resource"":""*"" } }"; public static BasicAWSCredentials CreateTestRoleAndUser(string roleName, string userName, string externalId) { var assumeRolePolicy = AssumeRolePolicyDocument.Replace("{AccountId}", UtilityMethods.AccountId); if (string.IsNullOrEmpty(externalId)) { assumeRolePolicy = assumeRolePolicy.Replace("{Condition}",""); } else { assumeRolePolicy = assumeRolePolicy.Replace("{Condition}", AssumeRoleExternalIdCondition.Replace("{ExternalId}", externalId)); } using (var iamClient = new AmazonIdentityManagementServiceClient()) { var role = iamClient.CreateRole(new CreateRoleRequest { RoleName = roleName, AssumeRolePolicyDocument = assumeRolePolicy }).Role; iamClient.PutRolePolicy(new PutRolePolicyRequest { RoleName = role.RoleName, PolicyName = "allow-list-buckets", PolicyDocument = AllowListBucketsRolePolicyDocument }); var user = iamClient.CreateUser(new CreateUserRequest { UserName = userName }).User; iamClient.PutUserPolicy(new PutUserPolicyRequest { UserName = user.UserName, PolicyName = "assume-policy-1", PolicyDocument = AssumeRoleUserPolicyDocument }); var accessKey = iamClient.CreateAccessKey(new CreateAccessKeyRequest { UserName = userName }).AccessKey; return new BasicAWSCredentials(accessKey.AccessKeyId, accessKey.SecretAccessKey); } } public static void CleanupTestRoleAndUser(string roleName, string userName) { using (var iamClient = new AmazonIdentityManagementServiceClient()) { try { var rolePolicies = iamClient.ListRolePolicies(new ListRolePoliciesRequest { RoleName = roleName }).PolicyNames; foreach (var policy in rolePolicies) { iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest { RoleName = roleName, PolicyName = policy }); } iamClient.DeleteRole(new DeleteRoleRequest { RoleName = roleName }); } catch(NoSuchEntityException) { //this is ok - only clean up if it exists } try { var userPolicies = iamClient.ListUserPolicies(new ListUserPoliciesRequest { UserName = userName }).PolicyNames; foreach (var policy in userPolicies) { iamClient.DeleteUserPolicy(new DeleteUserPolicyRequest { UserName = userName, PolicyName = policy }); } var accessKeys = iamClient.ListAccessKeys(new ListAccessKeysRequest { UserName = userName }); foreach (var accessKey in accessKeys.AccessKeyMetadata) { iamClient.DeleteAccessKey(new DeleteAccessKeyRequest { UserName = userName, AccessKeyId = accessKey.AccessKeyId }); } iamClient.DeleteUser(new DeleteUserRequest { UserName = userName }); } catch (NoSuchEntityException) { //this is ok - only clean up if it exists } } } } }