Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  /*
   * Copyright 2011-2015 Amazon Technologies, Inc.
   *
   * Licensed under the Apache License, Version 2.0 (the "License");
   * you may not use this file except in compliance with the License.
   * You may obtain a copy of the License at:
   *
   *    http://aws.amazon.com/apache2.0
   *
  * This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
  * OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and
  * limitations under the License.
  */
 
 package com.amazonaws.auth;
 
 import java.util.Date;
 
AWSCredentialsProvider implementation that uses the AWS Security Token Service to assume a Role and create temporary, short-lived sessions to use for authentication.
 
 public class STSAssumeRoleSessionCredentialsProvider implements AWSCredentialsProvider {

    
Default duration for started sessions.
 
     public static final int DEFAULT_DURATION_SECONDS = 900;

    
Time before expiry within which credentials will be renewed.
 
     private static final int EXPIRY_TIME_MILLIS = 60 * 1000;

    
The client for starting STS sessions.
 
     private final AWSSecurityTokenService securityTokenService;

    
The current session credentials.
 
     private AWSSessionCredentials sessionCredentials;

    
The expiration time for the current session credentials.
 
     private Date sessionCredentialsExpiration;

    
The arn of the role to be assumed.
 
     private String roleArn;

    
An identifier for the assumed role session.
 
     private String roleSessionName;
    
    
An external Id parameter for the assumed role session
 
     private String roleExternalId;

    
Constructs a new STSAssumeRoleSessionCredentialsProvider, which makes a request to the AWS Security Token Service (STS), uses the provided roleArn to assume a role and then request short lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:
roleArn The ARN of the Role to be assumed.
roleSessionName An identifier for the assumed role session.
 
     public STSAssumeRoleSessionCredentialsProvider(String roleArnString roleSessionName) {
         this(new Builder(roleArnroleSessionName));
     }
    
    
    
Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified long lived AWS credentials to make a request to the AWS Security Token Service (STS), uses the provided roleArn to assume a role and then request short lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:
longLivedCredentials The main AWS credentials for a user's account.
roleArn The ARN of the Role to be assumed.
roleSessionName An identifier for the assumed role session.
 
     public STSAssumeRoleSessionCredentialsProvider(AWSCredentials longLivedCredentialsString roleArn,
             String roleSessionName) {
         this(longLivedCredentialsroleArnroleSessionNamenew ClientConfiguration());
     }

    
Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified long lived AWS credentials to make a request to the AWS Security Token Service (STS), uses the provided roleArn to assume a role and then request short lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:
longLivedCredentials The main AWS credentials for a user's account.
roleArn The ARN of the Role to be assumed.
roleSessionName An identifier for the assumed role session.
clientConfiguration Client configuration connection parameters.
    public STSAssumeRoleSessionCredentialsProvider(AWSCredentials longLivedCredentialsString roleArn,
            String roleSessionNameClientConfiguration clientConfiguration) {
        this(new Builder(roleArnroleSessionName)
                    .withLongLivedCredentials(longLivedCredentials)
                    .withClientConfiguration(clientConfiguration));
    }


    
    
Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified credentials provider (which vends long lived AWS credentials) to make a request to the AWS Security Token Service (STS), usess the provided roleArn to assume a role and then request short lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:
longLivedCredentialsProvider Credentials provider for the main AWS credentials for a user's account.
roleArn The ARN of the Role to be assumed.
roleSessionName An identifier for the assumed role session.
    public STSAssumeRoleSessionCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProviderString roleArn,
            String roleSessionName) {
        this(new Builder(roleArnroleSessionName).withLongLivedCredentialsProvider(longLivedCredentialsProvider));
    }

    
Constructs a new STSAssumeRoleSessionCredentialsProvider, which will use the specified credentials provider (which vends long lived AWS credentials) to make a request to the AWS Security Token Service (STS), uses the provided roleArn to assume a role and then request short lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:
longLivedCredentialsProvider Credentials provider for the main AWS credentials for a user's account.
roleArn The ARN of the Role to be assumed.
roleSessionName An identifier for the assumed role session.
clientConfiguration Client configuration connection parameters.
    public STSAssumeRoleSessionCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProviderString roleArn,
            String roleSessionNameClientConfiguration clientConfiguration) {
        this(new Builder(roleArnroleSessionName)
                        .withLongLivedCredentialsProvider(longLivedCredentialsProvider)
                        .withClientConfiguration(clientConfiguration));
    }
    
    
The following private constructor reads state from the builder and sets the appropriate parameters accordingly When public constructors are called, this constructors is deferred to with a null value for roleExternalId and endpoint The inner Builder class can be used to construct an object that actually has a value for roleExternalId and endpoint

Throws:
java.lang.IllegalArgumentException if both an AWSCredentials and AWSCredentialsProvider have been set on the builder
    
    private STSAssumeRoleSessionCredentialsProvider(Builder builder) {
         
Passing two types of credential interfaces is not permitted
        if (builder.longLivedCredentials != null && builder.longLivedCredentialsProvider != null) {
            throw new IllegalArgumentException("It is illegal to set both an AWSCredentials and an AWSCredentialsProvider for an " + STSAssumeRoleSessionCredentialsProvider.class.getName());
        } 
        
        //required parameters are null checked in the builder constructor
        this. = builder.roleArn;
        this. = builder.roleSessionName;
        
        //roleExternalId may be null
        this. = builder.roleExternalId;
        
        AWSCredentialsProvider longLivedCredentialsProvider = null;
        if (builder.longLivedCredentials != null) {
            longLivedCredentialsProvider = new StaticCredentialsProvider(builder.longLivedCredentials);
        } else if (builder.longLivedCredentialsProvider != null) {
            longLivedCredentialsProvider = builder.longLivedCredentialsProvider;
        }
        
        
        if (longLivedCredentialsProvider == null) {
            if (builder.clientConfiguration == null) {
                 = new AWSSecurityTokenServiceClient();
            } else {
                 = new AWSSecurityTokenServiceClient(builder.clientConfiguration);
            }
        } else {
            if (builder.clientConfiguration == null) {
                 = new AWSSecurityTokenServiceClient(longLivedCredentialsProvider);
            } else {
                 = new AWSSecurityTokenServiceClient(longLivedCredentialsProviderbuilder.clientConfiguration);
            }
        }
        
        if (builder.serviceEndpoint != null) {
            .setEndpoint(builder.serviceEndpoint);
        }
        
    }

    
Sets the AWS Security Token Service (STS) endpoint where session credentials are retrieved from.

The default AWS Security Token Service (STS) endpoint ("sts.amazonaws.com") works for all accounts that are not for China (Beijing) region or GovCloud. You only need to change the endpoint to "sts.cn-north-1.amazonaws.com.cn" when you are requesting session credentials for services in China(Beijing) region or "sts.us-gov-west-1.amazonaws.com" for GovCloud.

Setting this invalidates existing session credentials.
    public void setSTSClientEndpoint(String endpoint) {
        .setEndpoint(endpoint);
         = null;
    }
    
    @Override
    public AWSCredentials getCredentials() {
        if (needsNewSession()) {
            startSession();
        }
        return ;
    }
    @Override
    public void refresh() {
        startSession();
    }

    
Starts a new session by sending a request to the AWS Security Token Service (STS) to assume a Role using the long lived AWS credentials. This class then vends the short lived session credentials for the assumed Role sent back from STS.
    private void startSession() {
        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
            .withRoleSessionName();
        if ( != null) {
            assumeRoleRequest = assumeRoleRequest.withExternalId();
        }
        AssumeRoleResult assumeRoleResult = .assumeRole(assumeRoleRequest);
        Credentials stsCredentials = assumeRoleResult.getCredentials();
         = new BasicSessionCredentials(stsCredentials.getAccessKeyId(),
                stsCredentials.getSecretAccessKey(), stsCredentials.getSessionToken());
         = stsCredentials.getExpiration();
    }

    
Returns true if a new STS session needs to be started. A new STS session is needed when no session has been started yet, or if the last session is within EXPIRY_TIME_MILLIS seconds of expiring.

Returns:
True if a new STS session needs to be started.
    private boolean needsNewSession() {
        if ( == null) {
            return true;
        }
        long timeRemaining = .getTime() - System.currentTimeMillis();
        return timeRemaining < ;
    }
    
    
    
Provides a builder pattern to avoid combinatorial explosion of the number of parameters that are passed to constructors. The builder introspects which parameters have been set and calls the appropriate constructor.
    public static final class Builder {
        
        private AWSCredentials longLivedCredentials;
        private ClientConfiguration clientConfiguration;
        private final String roleArn;
        private final String roleSessionName;
        private String roleExternalId;
        private String serviceEndpoint;
        
        

Parameters:
roleArn Required roleArn parameter used when starting a session
roleSessionName Required roleSessionName parameter used when starting a session
        public Builder(String roleArnString roleSessionName) {
            if (roleArn == null || roleSessionName == null) {
                throw new NullPointerException("You must specify a value for roleArn and roleSessionName");
            }
            this. = roleArn;
            this. = roleSessionName;
        }
        
        
Set credentials to use when retrieving session credentials This is not the recommended approach. Instead, consider using the CredentialsProvider field.

Parameters:
longLivedCredentials Credentials used to generate sessions in the assumed role
Returns:
the builder itself for chained calls
        public Builder withLongLivedCredentials(AWSCredentials longLivedCredentials) {
            this. = longLivedCredentials;
            return this;
        }
        
        
Set credentials provider to use when retrieving session credentials

Parameters:
longLivedCredentialsProvider A credentials provider used to generate sessions in the assumed role
Returns:
the builder itself for chained calls
        public Builder withLongLivedCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProvider) {
            this. = longLivedCredentialsProvider;
            return this;
        }
        
        
Set the client configuration used to create the AWSSecurityTokenService

Parameters:
clientConfiguration ClientConfiguration for the AWSSecurityTokenService client
Returns:
the builder itself for chained calls
        public Builder withClientConfiguration(ClientConfiguration clientConfiguration) {
            this. = clientConfiguration;
            return this;
        }
        
        
Set the roleExternalId parameter that is used when retrieving session credentials under an assumed role.

Parameters:
roleExternalId An external id used in the service call used to retrieve session credentials
Returns:
the builder itself for chained calls
        public Builder withExternalId(String roleExternalId) {
            this. = roleExternalId;
            return this;
        }

       
Sets the AWS Security Token Service (STS) endpoint where session credentials are retrieved from.

The default AWS Security Token Service (STS) endpoint ("sts.amazonaws.com") works for all accounts that are not for China (Beijing) region or GovCloud. You only need to change the endpoint to "sts.cn-north-1.amazonaws.com.cn" when you are requesting session credentials for services in China(Beijing) region or "sts.us-gov-west-1.amazonaws.com" for GovCloud.

        public Builder withServiceEndpoint(String serviceEndpoint) {
            this. = serviceEndpoint;
            return this;
        }
        
        
Build the configured provider

Returns:
the configured STSAssumeRoleSessionCredentialsProvider
            return new STSAssumeRoleSessionCredentialsProvider(this);
        }
    }
New to GrepCode? Check out our FAQ X