com.netflix.dynomitemanager.sidecore.aws.AwsRoleAssumptionCredential.java Source code

Java tutorial

Introduction

Here is the source code for com.netflix.dynomitemanager.sidecore.aws.AwsRoleAssumptionCredential.java

Source

/**
 * Copyright 2016 Netflix, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.netflix.dynomitemanager.sidecore.aws;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.google.inject.Inject;
import com.netflix.dynomitemanager.identity.InstanceEnvIdentity;
import com.netflix.dynomitemanager.sidecore.IConfiguration;
import com.netflix.dynomitemanager.sidecore.ICredential;

public class AwsRoleAssumptionCredential implements ICredential {
    private static final String AWS_ROLE_ASSUMPTION_SESSION_NAME = "AwsRoleAssumptionSession";
    private ICredential cred;
    private IConfiguration config;
    private InstanceEnvIdentity insEnvIdentity;
    private AWSCredentialsProvider stsSessionCredentialsProvider;

    @Inject
    public AwsRoleAssumptionCredential(ICredential cred, IConfiguration config,
            InstanceEnvIdentity insEnvIdentity) {
        this.cred = cred;
        this.config = config;
        this.insEnvIdentity = insEnvIdentity;
    }

    @Override
    public AWSCredentialsProvider getAwsCredentialProvider() {
        if (this.config.isDualAccount() || this.stsSessionCredentialsProvider == null) {
            synchronized (this) {
                if (this.stsSessionCredentialsProvider == null) {

                    String roleArn = null;
                    /**
                     *  Create the assumed IAM role based on the environment.
                     *  For example, if the current environment is VPC, 
                     *  then the assumed role is for EC2 classic, and vice versa.
                     */
                    if (this.insEnvIdentity.isClassic()) {
                        roleArn = this.config.getVpcAWSRoleAssumptionArn(); // Env is EC2 classic --> IAM assumed role for VPC created 
                    } else {
                        roleArn = this.config.getClassicAWSRoleAssumptionArn(); // Env is VPC --> IAM assumed role for EC2 classic created 
                    }

                    //
                    if (roleArn == null || roleArn.isEmpty())
                        throw new NullPointerException(
                                "Role ARN is null or empty probably due to missing config entry");

                    /**
                     *  Get handle to an implementation that uses AWS Security Token Service (STS) to create temporary, 
                     *  short-lived session with explicit refresh for session/token expiration.
                     */
                    try {
                        this.stsSessionCredentialsProvider = new STSAssumeRoleSessionCredentialsProvider(
                                this.cred.getAwsCredentialProvider(), roleArn, AWS_ROLE_ASSUMPTION_SESSION_NAME);

                    } catch (Exception ex) {
                        throw new IllegalStateException(
                                "Exception in getting handle to AWS Security Token Service (STS).  Msg: "
                                        + ex.getLocalizedMessage(),
                                ex);
                    }

                }

            }
        }

        return this.stsSessionCredentialsProvider;

    }
}