« AWS SDK for .NET » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(→Config) |
|||
Ligne 52 : | Ligne 52 : | ||
key = value | key = value | ||
</filebox> | </filebox> | ||
= [https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/sso-tutorial-app-only.html#sso-tutorial-app-only-code Example .NET applications] = | |||
<kode lang='cs' collapsed> | |||
var ssoCreds = this.LoadSsoCredentials("Events"); | |||
var token = new AmazonSecurityTokenServiceClient(ssoCreds); | |||
var caller = await token.GetCallerIdentityAsync(new GetCallerIdentityRequest()); | |||
this.userId = caller?.UserId.Substring(caller.UserId.IndexOf(":") + 1) ?? string.Empty; | |||
var userNames = await this.GetIamUserNamesAsync(ssoCreds); | |||
var bucketNames = await this.GetS3BucketNames(ssoCreds); | |||
private AWSCredentials LoadSsoCredentials(string profile) | |||
{ | |||
var chain = new CredentialProfileStoreChain(); | |||
if (!chain.TryGetAWSCredentials(profile, out var credentials)) | |||
{ | |||
errors.Add($"Failed to find the {profile} profile"); | |||
} | |||
// set ClientName and launch a browser window that prompts the SSO user to complete an SSO login | |||
// if the session doesn't already have a valid SSO token. | |||
if (credentials is SSOAWSCredentials ssoCredentials) | |||
{ | |||
ssoCredentials.Options.ClientName = "Example-SSO-App"; | |||
ssoCredentials.Options.SsoVerificationCallback = args => | |||
{ | |||
Process.Start(new ProcessStartInfo | |||
{ | |||
FileName = args.VerificationUriComplete, | |||
UseShellExecute = true | |||
}); | |||
}; | |||
} | |||
return credentials; | |||
} | |||
private async Task<IReadOnlyCollection<string>> GetIamUserNamesAsync(AWSCredentials ssoCreds) | |||
{ | |||
var iamClient = new AmazonIdentityManagementServiceClient(ssoCreds); | |||
var listResponse = await iamClient.ListUsersAsync(); | |||
return listResponse.Users.Select(x => x.UserName).ToList(); | |||
} | |||
private async Task<IReadOnlyCollection<string>> GetS3BucketNames(AWSCredentials ssoCreds) | |||
{ | |||
var s3Client = new AmazonS3Client(ssoCreds); | |||
var listResponse = await s3Client.ListBucketsAsync(); | |||
return listResponse.Buckets.Select(x => x.BucketName).ToList(); | |||
} | |||
</kode> | |||
Install the following nuget packages: {{boxx|AWSSDK.Core}} {{boxx|AWSSDK.SecurityToken}} {{boxx|AWSSDK.SSO}} {{boxx|AWSSDK.SSOOIDC}}<br> | |||
For IAM users: {{boxx|AWSSDK.IdentityManagement}}<br> | |||
For S3 buckets: {{boxx|AWSSDK.S3}} | |||
= [https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/csharp_secrets-manager_code_examples.html Secrets Manager] = | = [https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/csharp_secrets-manager_code_examples.html Secrets Manager] = |
Version du 27 février 2024 à 09:54
Config
This file contains the profiles.
∼/.aws/config |
[default] region = eu-central-1 [profile Profile1] sso_start_url = https://my-sso-portal.awsapps.com/start sso_region = us-west-1 sso_account_id = 111122223333 sso_role_name = SampleRole region = eu-central-1 output = yaml-stream services = local-dynamodb [services local-dynamodb] dynamodb = endpoint_url = http://localhost:8000 |
aws sso login --profile Profile1 |
Define the AWS_PROFILE in an env var while starting the project.
Properties\launchSettings.json |
{ "profiles": { "MyProfile1": { "commandName": "Project", "launchBrowser": true, "launchUrl": "swagger", "environmentVariables": { "ASPNETCORE_ENVIRONMENT": "Development", "AWS_PROFILE": "Profile1" }, "applicationUrl": "https://localhost:5001;http://localhost:5000" } } |
Credentials
This file contains credentials linked to profiles.
∼/.aws/credentials |
[default] aws_access_key_id = ... aws_secret_access_key = ... aws_session_token = ... [Profile1] key = value |
Example .NET applications
var ssoCreds = this.LoadSsoCredentials("Events"); var token = new AmazonSecurityTokenServiceClient(ssoCreds); var caller = await token.GetCallerIdentityAsync(new GetCallerIdentityRequest()); this.userId = caller?.UserId.Substring(caller.UserId.IndexOf(":") + 1) ?? string.Empty; var userNames = await this.GetIamUserNamesAsync(ssoCreds); var bucketNames = await this.GetS3BucketNames(ssoCreds); private AWSCredentials LoadSsoCredentials(string profile) { var chain = new CredentialProfileStoreChain(); if (!chain.TryGetAWSCredentials(profile, out var credentials)) { errors.Add($"Failed to find the {profile} profile"); } // set ClientName and launch a browser window that prompts the SSO user to complete an SSO login // if the session doesn't already have a valid SSO token. if (credentials is SSOAWSCredentials ssoCredentials) { ssoCredentials.Options.ClientName = "Example-SSO-App"; ssoCredentials.Options.SsoVerificationCallback = args => { Process.Start(new ProcessStartInfo { FileName = args.VerificationUriComplete, UseShellExecute = true }); }; } return credentials; } private async Task<IReadOnlyCollection<string>> GetIamUserNamesAsync(AWSCredentials ssoCreds) { var iamClient = new AmazonIdentityManagementServiceClient(ssoCreds); var listResponse = await iamClient.ListUsersAsync(); return listResponse.Users.Select(x => x.UserName).ToList(); } private async Task<IReadOnlyCollection<string>> GetS3BucketNames(AWSCredentials ssoCreds) { var s3Client = new AmazonS3Client(ssoCreds); var listResponse = await s3Client.ListBucketsAsync(); return listResponse.Buckets.Select(x => x.BucketName).ToList(); } |
Install the following nuget packages: AWSSDK.Core AWSSDK.SecurityToken AWSSDK.SSO AWSSDK.SSOOIDC
For IAM users: AWSSDK.IdentityManagement
For S3 buckets: AWSSDK.S3
Secrets Manager
Cognito
Program.cs |
builder.Services.AddCognitoIdentity(); builder.Services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.Authority = builder.Configuration["AWSCognito:Authority"]; options.Audience = builder.Configuration["AWSCognito:UserPoolClientId"]; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, ValidateAudience = true }; options.TokenValidationParameters.AudienceValidator = (audiences, securityToken, validationParameters) => { // Cognito tokens doesn't have "aud" claim. Instead the audience is set in "client_id" var jsonWebToken = (Microsoft.IdentityModel.JsonWebTokens.JsonWebToken)securityToken; if (!jsonWebToken.Claims.Any(f => f.Type == "aud")) return false; return validationParameters.ValidAudience.Contains(jsonWebToken.Claims.First(f => f.Type == "aud").Value); }; }); |