public function testThatAssumeRoleWithWebIdentityRequestsDoNotGetSigned()
{
$client = StsClient::factory();
$mock = new MockPlugin();
$mock->addResponse(new Response(200));
$client->addSubscriber($mock);
$command = $client->getCommand('AssumeRoleWithWebIdentity', array('RoleArn' => 'xxxxxxxxxxxxxxxxxxxxxx', 'RoleSessionName' => 'xx', 'WebIdentityToken' => 'xxxx'));
$request = $command->prepare();
$command->execute();
$this->assertFalse($request->hasHeader('Authorization'));
}
public function testFactoryInitializesClient()
{
$client = StsClient::factory(array('key' => 'foo', 'secret' => 'bar', 'region' => 'us-west-1'));
$this->assertInstanceOf('Aws\\Common\\Credentials\\Credentials', $client->getCredentials());
$this->assertEquals('https://sts.amazonaws.com', $client->getBaseUrl());
$this->assertInstanceOf('Aws\\Common\\Signature\\SignatureV4', $this->readAttribute($client, 'signature'));
$this->assertTrue($client->getDescription()->hasOperation('GetSessionToken'));
}
public function __construct(array $args)
{
if (!isset($args['version'])) {
$args['version'] = "2011-06-15";
}
if (!isset($args['endpoint']) && isset($args['region'])) {
$args['endpoint'] = sprintf("https://sts.%s.amazonaws.com", $args['region']);
}
parent::__construct($args);
}
/**
* Returns a set of temporary credentials for an AWS account or IAM user.
*
* @param integer $durationSeconds The duration, in seconds, that the credentials should remain valid.
* @param string $serialNumber The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call.
* @param string $tokenCode The value provided by the MFA device, if MFA is required.
*
* @return Guzzle\Service\Resource\Model
*
* @see http://docs.aws.amazon.com/aws-sdk-php/latest/class-Aws.Sts.StsClient.html#_getSessionToken
*/
public function getSessionToken($durationSeconds = 43200, $serialNumber = null, $tokenCode = null)
{
$args = ['DurationSeconds' => $durationSeconds];
if ($serialNumber !== null) {
$args['SerialNumber'] = $serialNumber;
}
if ($tokenCode !== null) {
$args['TokenCode'] = $tokenCode;
}
return $this->client->getSessionToken($args);
}
public function testCanInstantiateRegionlessClientsWithoutParameters()
{
$config = array('key' => 'foo', 'secret' => 'bar');
try {
// Instantiate all of the clients that do not require a region
\Aws\S3\S3Client::factory($config);
\Aws\CloudFront\CloudFrontClient::factory($config);
\Aws\Route53\Route53Client::factory($config);
\Aws\Sts\StsClient::factory($config);
} catch (\InvalidArgumentException $e) {
$this->fail('All of the above clients should have been instantiated without errors: ' . $e->getMessage());
}
}
<?php
session_start();
require 'vendor/autoload.php';
use Aws\Sts\StsClient;
use Aws\S3\S3Client;
use Aws\Common\Credentials;
//directory name in the s3 bucket that can be unique for any customer
$s3dir = $customer_id = "user_1";
//S3 & accesso S3:
$Bucket = '<Bucket Name>';
$RoleArn = '<Role ARN>';
$auth = array('key' => '<AccessKey>', 'secret' => '<SecretKey>');
// Client STS is required to create temporary credentials for the user(customer)
$sts = StsClient::factory($auth);
//Let's define the personalized policy for the user(Customer that use the service):
$Policy = '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::' . $Bucket . '/' . $s3dir . '/*"
]
}
]
}';
/**
* @expectedException \Aws\Common\Exception\InvalidArgumentException
*/
public function testRequiresLongTermCredentials()
{
StsClient::factory(array('key' => 'foo', 'secret' => 'bar', 'token' => 'foo', 'region' => 'us-west-1'));
}
/**
* @param array $role
* @return array
*/
protected function getCredentials($role = [])
{
$c = new StsClient(['version' => 'latest', 'region' => 'us-east-1']);
$credentials = $c->assumeRole(['RoleArn' => sprintf(self::ROLE_ARN, $role['account'], $role['role']), 'RoleSessionName' => 'aws-commands'])->search('Credentials');
return $credentials;
}
/**
* @expectedException \Aws\Sts\Exception\StsException
* @expectedExceptionMessage Not authorized to perform sts:AssumeRoleWithWebIdentity
*/
public function testFailsOnBadWebIdentity()
{
$this->client->assumeRoleWithWebIdentity(array('RoleArn' => 'arn:aws:iam::123123123123:role/DummyRole.', 'RoleSessionName' => 'dummy-session-name', 'WebIdentityToken' => 'dummy-oauth-token', 'ProviderId' => 'dummy-provider-name', 'Policy' => json_encode(array('Statement' => array(array('Effect' => 'Deny', 'Action' => 's3:GetObject', 'Resource' => 'arn:aws:s3:::mybucket/dummy/*'))))));
}
<?php
require 'vendor/autoload.php';
define("AWS_ACCESS_KEY", "AKIAIQ5G3H2ETTRQSUUQ");
define("AWS_SECRET_KEY", "DtVG2Cvx9Q/Q07OPksxlc6++Kskw+D24IDgPSvyM");
define("S3_EUROPE_BUCKET", "adbestkdev-priv-ire");
use Aws\Sts\StsClient;
use Aws\S3\S3Client;
try {
$config = array('key' => AWS_ACCESS_KEY, 'secret' => AWS_SECRET_KEY, 'region' => "eu-west-1");
$sts = StsClient::factory($config);
/*$result = $sts->getFederationToken(array(
'Name' => 'User1',
'DurationSeconds' => 3600,
'Policy' => json_encode(array(
'Statement' => array(
array(
'Sid' => 'randomstatementid' . time(),
'Action' => array('s3:ListBucket','s:ListBucket'),
'Effect' => 'Allow',
'Resource' => 'arn:aws:s3:::'.S3_EUROPE_BUCKET
)
)
))
));
$credentials = $result->get('Credentials');*/
$credentials = $sts->getSessionToken()->get('Credentials');
echo $credentials['AccessKeyId'] . "<br>";
echo urlencode($credentials['SecretAccessKey']) . "<br><br>";
echo $credentials['SessionToken'] . "<br><br>";
