« AWS SDK for .NET » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 111 : Ligne 111 :
For S3 buckets: {{boxx|AWSSDK.S3}}
For S3 buckets: {{boxx|AWSSDK.S3}}


= [https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/csharp_secrets-manager_code_examples.html Secrets Manager] =
= [https://aws.amazon.com/blogs/modernizing-with-aws/how-to-load-net-configuration-from-aws-secrets-manager/ Load .NET configuration from Secrets Manager] =
<filebox fn='AmazonSecretsManagerConfigurationProvider.cs' collapsed>
public class AmazonSecretsManagerConfigurationProvider : ConfigurationProvider
{
    private readonly string secretName;
 
    public AmazonSecretsManagerConfigurationProvider(string secretName)
    {
        this.secretName = secretName;
    }
 
    public override void Load()
    {
        var secret = GetSecret();
        Data = JsonSerializer.Deserialize<Dictionary<string, string>>(secret)!;
    }
 
    private string GetSecret()
    {
        var request = new GetSecretValueRequest
        {
            SecretId = this.secretName
        };
 
        using (var client = new AmazonSecretsManagerClient())
        {
            var response = client.GetSecretValueAsync(request).Result;
            return response.SecretString;
        }
    }
}
</filebox>
 
* [https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-net.html Secrets Manager Cache]
* [https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-net.html Secrets Manager Cache]
* [https://aws.amazon.com/blogs/modernizing-with-aws/how-to-load-net-configuration-from-aws-secrets-manager/ Load .NET configuration from Secrets Manager]
* [https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/csharp_secrets-manager_code_examples.html Secrets Manager]
 
<filebox fn='Program.cs'>
<filebox fn='Program.cs'>
builder.Configuration.Sources.Add(new AmazonSecretsManagerConfigurationSource("Secret name"));
builder.Configuration.Sources.Add(new AmazonSecretsManagerConfigurationSource("Secret name"));

Version du 7 mars 2024 à 09:54

Config

This file contains the profiles.

∼/.aws/config 
[default]
region = eu-central-1

[profile Profile1]
sso_start_url  = https://my-sso-portal.awsapps.com/start
sso_region     = us-west-1
sso_account_id = 111122223333
sso_role_name  = SampleRole
region         = eu-central-1
output         = yaml-stream
services       = local-dynamodb

[services local-dynamodb]
dynamodb = 
  endpoint_url = http://localhost:8000
Ps.svg 
aws sso login --profile Profile1

Define the AWS_PROFILE in an env var while starting the project.

Properties\launchSettings.json 
{
  "profiles": {
    "MyProfile1": {
      "commandName": "Project",
      "launchBrowser": true,
      "launchUrl": "swagger",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development",
        "AWS_PROFILE": "Profile1"
      },
      "applicationUrl": "https://localhost:5001;http://localhost:5000"
    }
}

Credentials

This file contains credentials linked to profiles.

∼/.aws/credentials 
[default]
aws_access_key_id     = ...
aws_secret_access_key = ...
aws_session_token     = ...

[Profile1]
key = value

Example .NET applications

Cs.svg 
var ssoCreds = this.LoadSsoCredentials("Profile1");
var token = new AmazonSecurityTokenServiceClient(ssoCreds);

var caller = await token.GetCallerIdentityAsync(new GetCallerIdentityRequest());
this.userId = caller?.UserId.Substring(caller.UserId.IndexOf(":") + 1) ?? string.Empty;

var userNames = await this.GetIamUserNamesAsync(ssoCreds);
var bucketNames = await this.GetS3BucketNames(ssoCreds);

private AWSCredentials LoadSsoCredentials(string profile)
{
    var chain = new CredentialProfileStoreChain();
    if (!chain.TryGetAWSCredentials(profile, out var credentials))
    {
        errors.Add($"Failed to find the {profile} profile");
    }

    // set ClientName and launch a browser window that prompts the SSO user to complete an SSO login
    // if the session doesn't already have a valid SSO token.
    if (credentials is SSOAWSCredentials ssoCredentials)
    {
        ssoCredentials.Options.ClientName = "Example-SSO-App";
        ssoCredentials.Options.SsoVerificationCallback = args =>
        {
            Process.Start(new ProcessStartInfo
            {
                FileName = args.VerificationUriComplete,
                UseShellExecute = true
            });
        };
    }

    return credentials;
}

private async Task<IReadOnlyCollection<string>> GetIamUserNamesAsync(AWSCredentials ssoCreds)
{
    var iamClient = new AmazonIdentityManagementServiceClient(ssoCreds);
    var listResponse = await iamClient.ListUsersAsync();
    return listResponse.Users.Select(x => x.UserName).ToList();
}

private async Task<IReadOnlyCollection<string>> GetS3BucketNames(AWSCredentials ssoCreds)
{
    var s3Client = new AmazonS3Client(ssoCreds);
    // Amazon.Runtime.AmazonClientException: 'No RegionEndpoint or ServiceURL configured
    // define a default profile in config with a region
    var listResponse = await s3Client.ListBucketsAsync();
    return listResponse.Buckets.Select(x => x.BucketName).ToList();
}

Install the following nuget packages: AWSSDK.Core AWSSDK.SecurityToken AWSSDK.SSO AWSSDK.SSOOIDC
For IAM users: AWSSDK.IdentityManagement
For S3 buckets: AWSSDK.S3

Load .NET configuration from Secrets Manager

AmazonSecretsManagerConfigurationProvider.cs 
public class AmazonSecretsManagerConfigurationProvider : ConfigurationProvider
{
    private readonly string secretName;

    public AmazonSecretsManagerConfigurationProvider(string secretName)
    {
        this.secretName = secretName;
    }

    public override void Load()
    {
        var secret = GetSecret();
        Data = JsonSerializer.Deserialize<Dictionary<string, string>>(secret)!;
    }

    private string GetSecret()
    {
        var request = new GetSecretValueRequest
        {
            SecretId = this.secretName
        };

        using (var client = new AmazonSecretsManagerClient())
        {
            var response = client.GetSecretValueAsync(request).Result;
            return response.SecretString;
        }
    }
}
Program.cs 
builder.Configuration.Sources.Add(new AmazonSecretsManagerConfigurationSource("Secret name"));

var secretValue = builder.Configuration["Secret key"];

Authentication with Cognito JWT Token

Program.cs 
builder.Services.AddCognitoIdentity();

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = builder.Configuration["AWSCognito:Authority"];
    options.Audience = builder.Configuration["AWSCognito:UserPoolClientId"];
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        ValidateAudience = true
    };
    options.TokenValidationParameters.AudienceValidator = (audiences, securityToken, validationParameters) =>
    {
        // Cognito tokens doesn't have "aud" claim. Instead the audience is set in "client_id"
        var jsonWebToken = (Microsoft.IdentityModel.JsonWebTokens.JsonWebToken)securityToken;
        if (!jsonWebToken.Claims.Any(f => f.Type == "aud"))
            return false;
        return validationParameters.ValidAudience.Contains(jsonWebToken.Claims.First(f => f.Type == "aud").Value);
    };
});

Install the following nuget packages: Amazon.AspNetCore.Identity.Cognito

aws-aspnet-cognito-identity-provider

Cognito is not a fully OIDC-compliant provider
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=AWS_SDK_for_.NET&oldid=30256 »