下面列出了com.amazonaws.services.s3.model.CryptoConfiguration#com.amazonaws.auth.DefaultAWSCredentialsProviderChain 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Creates a new Elasticsearch REST client. If useAwsCredentials = true, the client is injected with AWS
* credentials. If useAwsCredentials = false and username/password are extracted using the credentialsPattern,
* the client is injected with username/password credentials. Otherwise a default client with no credentials is
* returned.
* @param endpoint is the Elasticsearch instance endpoint. The latter may contain username/password credentials
* for Elasticsearch services that are external to Amazon.
* Examples:
* 1) https://search-movies-ne3yqu.us-east-1.es.amazonaws.com
* 2) http://[email protected]:www.google.com
* @return an Elasticsearch REST client.
*/
private AwsRestHighLevelClient createClient(String endpoint)
{
if (useAwsCredentials) {
return new AwsRestHighLevelClient.Builder(endpoint)
.withCredentials(new DefaultAWSCredentialsProviderChain()).build();
}
else {
Matcher credentials = credentialsPattern.matcher(endpoint);
if (credentials.find()) {
String usernameAndPassword = credentials.group();
String username = usernameAndPassword.substring(0, usernameAndPassword.indexOf("@"));
String password = usernameAndPassword.substring(usernameAndPassword.indexOf("@") + 1,
usernameAndPassword.lastIndexOf(":"));
String finalEndpoint = endpoint.replace(usernameAndPassword, "");
return new AwsRestHighLevelClient.Builder(finalEndpoint).withCredentials(username, password).build();
}
}
logger.debug("Default client w/o credentials");
// Default client w/o credentials.
return new AwsRestHighLevelClient.Builder(endpoint).build();
}
@Inject
public KinesisClientManager(KinesisConfig config)
{
if (!isNullOrEmpty(config.getAccessKey()) && !isNullOrEmpty(config.getSecretKey())) {
BasicAWSCredentials awsCredentials = new BasicAWSCredentials(config.getAccessKey(), config.getSecretKey());
this.client = new AmazonKinesisClient(awsCredentials);
this.amazonS3Client = new AmazonS3Client(awsCredentials);
this.dynamoDbClient = new AmazonDynamoDBClient(awsCredentials);
}
else {
DefaultAWSCredentialsProviderChain defaultChain = new DefaultAWSCredentialsProviderChain();
this.client = new AmazonKinesisClient(defaultChain);
this.amazonS3Client = new AmazonS3Client(defaultChain);
this.dynamoDbClient = new AmazonDynamoDBClient(defaultChain);
}
this.client.setEndpoint("kinesis." + config.getAwsRegion() + ".amazonaws.com");
this.dynamoDbClient.setEndpoint("dynamodb." + config.getAwsRegion() + ".amazonaws.com");
}
private static AWSCredentialsProvider getAwsCredentialsProvider(GlueHiveMetastoreConfig config)
{
if (config.getAwsAccessKey().isPresent() && config.getAwsSecretKey().isPresent()) {
return new AWSStaticCredentialsProvider(
new BasicAWSCredentials(config.getAwsAccessKey().get(), config.getAwsSecretKey().get()));
}
if (config.getIamRole().isPresent()) {
return new STSAssumeRoleSessionCredentialsProvider
.Builder(config.getIamRole().get(), "presto-session")
.withExternalId(config.getExternalId().orElse(null))
.build();
}
if (config.getAwsCredentialsProvider().isPresent()) {
return getCustomAWSCredentialsProvider(config.getAwsCredentialsProvider().get());
}
return DefaultAWSCredentialsProviderChain.getInstance();
}
@Test
public void minimalConfig() {
InvocationClient.Builder builder = new InvocationClient.Builder();
new InvocationClientConfig(builder,
new HashMap<String, String>() {
{
put("aws.lambda.function.arn", "test-function");
}
});
assertEquals("test-function", builder.getFunctionArn());
assertNull(builder.getRegion());
assertEquals(InvocationMode.SYNC, builder.getInvocationMode());
assertEquals(InvocationFailure.STOP, builder.getFailureMode());
assertEquals(Duration.ofMinutes(5), builder.getInvocationTimeout());
assertNotNull(builder.getClientConfiguration());
assertEquals(DefaultAWSCredentialsProviderChain.class, builder.getCredentialsProvider().getClass());
}
/**
* Return an AmazonS3Client set up with the proper endpoint
* defined in core-site.xml using a property like fs.s3a.endpoint.
* This mimics code found in S3AFileSystem.
*
* @param conf
* @param scheme
* @return
*/
private static AmazonS3Client getS3Client(Configuration conf, String scheme)
{
AmazonS3Client s3Client = new AmazonS3Client(new DefaultAWSCredentialsProviderChain());
String endpointKey = "fs." + scheme.toLowerCase() + ".endpoint";
String endPoint = conf.getTrimmed(endpointKey,"");
log.debug("Using endpoint setting " + endpointKey);
if (!endPoint.isEmpty()) {
try {
log.debug("Setting S3 client endpoint to " + endPoint);
s3Client.setEndpoint(endPoint);
} catch (IllegalArgumentException e) {
String msg = "Incorrect endpoint: " + e.getMessage();
log.error(msg);
throw new IllegalArgumentException(msg, e);
}
}
return s3Client;
}
@Test
public void testDefaultAWSCredentialsProviderChain() throws Throwable {
final TestRunner runner = TestRunners.newTestRunner(FetchS3Object.class);
final AWSCredentialsProviderControllerService serviceImpl = new AWSCredentialsProviderControllerService();
runner.addControllerService("awsCredentialsProvider", serviceImpl);
runner.enableControllerService(serviceImpl);
runner.assertValid(serviceImpl);
final AWSCredentialsProviderService service = (AWSCredentialsProviderService) runner.getProcessContext()
.getControllerServiceLookup().getControllerService("awsCredentialsProvider");
Assert.assertNotNull(service);
final AWSCredentialsProvider credentialsProvider = service.getCredentialsProvider();
Assert.assertNotNull(credentialsProvider);
assertEquals("credentials provider should be equal", DefaultAWSCredentialsProviderChain.class,
credentialsProvider.getClass());
}
@Test
void credentialsProvider_defaultCredentialsProviderWithoutFurtherConfig_awsCredentialsProviderConfigured()
throws Exception {
// Arrange
this.context = new AnnotationConfigApplicationContext(
ApplicationConfigurationWithDefaultCredentialsProvider.class);
// Act
AWSCredentialsProvider awsCredentialsProvider = this.context
.getBean(AWSCredentialsProvider.class);
// Assert
assertThat(awsCredentialsProvider).isNotNull();
assertThat(DefaultAWSCredentialsProviderChain.class
.isInstance(awsCredentialsProvider)).isTrue();
}
public static void cleanUpFromPreviousRuns(Regions testRegion, String groupPrefix) {
LOG.info("Cleaning up from previous test runs...");
// Get time an hour ago to clean up anything that was created more than an hour ago. That should be more than
// enough time for test runs so anything left over by that time will be junk to clean up.
Date createdBeforeThreshold = new Date(System.currentTimeMillis() - (60 * 60 * 1000));
// Resource prefix for the test groups so we only clean up the resources related to the tests.
// TODO is there a method somewhere that will construct this for me so it will always match the
// actual names constructed by the code?
String testResourcePrefix = String.format(
"strongbox_%s_%s", testRegion.getName(),
AWSResourceNameSerialization.encodeSecretsGroupName(groupPrefix));
AWSCredentialsProvider awsCredentials = new DefaultAWSCredentialsProviderChain();
cleanUpDynamoDBTables(testRegion, testResourcePrefix, createdBeforeThreshold, awsCredentials);
cleanUpKMSKeys(testRegion, testResourcePrefix, createdBeforeThreshold, awsCredentials);
cleanUpIAM(testRegion, testResourcePrefix, createdBeforeThreshold, awsCredentials);
}
@Test
void configuration_withoutAwsCredentials_shouldCreateAClientWithDefaultCredentialsProvider()
throws Exception {
// Arrange & Act
AnnotationConfigApplicationContext applicationContext = new AnnotationConfigApplicationContext(
ConfigurationWithMissingAwsCredentials.class);
// Assert
AmazonSQSBufferedAsyncClient bufferedAmazonSqsClient = applicationContext
.getBean(AmazonSQSBufferedAsyncClient.class);
AmazonSQSAsyncClient amazonSqsClient = (AmazonSQSAsyncClient) ReflectionTestUtils
.getField(bufferedAmazonSqsClient, "realSQS");
assertThat(DefaultAWSCredentialsProviderChain.class.isInstance(
ReflectionTestUtils.getField(amazonSqsClient, "awsCredentialsProvider")))
.isTrue();
}
@Test
public void testStepContextBasicCreds() throws IOException, InterruptedException {
EnvVars mockEnvVars = mock(EnvVars.class);
when(mockEnvVars.get(AWS_ACCESS_KEY_ID)).thenReturn("access");
when(mockEnvVars.get(AWS_SECRET_ACCESS_KEY)).thenReturn("secret");
when(mockEnvVars.get(AWS_SESSION_TOKEN)).thenReturn(null);
when(mockStepContext.get(EnvVars.class)).thenReturn(mockEnvVars);
when(awsSecretKey.getPlainText()).thenReturn("");
PowerMockito.mockStatic(DefaultAWSCredentialsProviderChain.class);
when(DefaultAWSCredentialsProviderChain.getInstance()).thenThrow(new RuntimeException("Should not be accessing the default credentials provider chain."));
AWSClientFactory awsClientFactory = new AWSClientFactory("keys", "", "", "", "", awsSecretKey, "", REGION, build, mockStepContext);
assert(awsClientFactory.getCredentialsDescriptor().contains(stepCredentials));
}
@Test
public void testStepContextSessionCreds() throws IOException, InterruptedException {
EnvVars mockEnvVars = mock(EnvVars.class);
when(mockEnvVars.get(AWS_ACCESS_KEY_ID)).thenReturn("access");
when(mockEnvVars.get(AWS_SECRET_ACCESS_KEY)).thenReturn("secret");
when(mockEnvVars.get(AWS_SESSION_TOKEN)).thenReturn("token");
when(mockStepContext.get(EnvVars.class)).thenReturn(mockEnvVars);
when(awsSecretKey.getPlainText()).thenReturn("");
PowerMockito.mockStatic(DefaultAWSCredentialsProviderChain.class);
when(DefaultAWSCredentialsProviderChain.getInstance()).thenThrow(new RuntimeException("Should not be accessing the default credentials provider chain."));
AWSClientFactory awsClientFactory = new AWSClientFactory("keys", "", "", "", "", awsSecretKey, "", REGION, build, mockStepContext);
assert(awsClientFactory.getCredentialsDescriptor().contains(stepCredentials));
}
@Test
void getObject_withZeroConfiguredProviders_returnsDefaultAwsCredentialsProviderChain()
throws Exception {
// Arrange
CredentialsProviderFactoryBean credentialsProviderFactoryBean = new CredentialsProviderFactoryBean();
credentialsProviderFactoryBean.afterPropertiesSet();
// Act
AWSCredentialsProvider credentialsProvider = credentialsProviderFactoryBean
.getObject();
// Assert
assertThat(credentialsProvider).isNotNull();
assertThat(
DefaultAWSCredentialsProviderChain.class.isInstance(credentialsProvider))
.isTrue();
}
/** By default, get credentials from the {@link DefaultAWSCredentialsProviderChain} */
@Bean @ConditionalOnMissingBean
AWSCredentials.Provider credentials() {
return new AWSCredentials.Provider() {
final AWSCredentialsProvider delegate = new DefaultAWSCredentialsProviderChain();
@Override public AWSCredentials get() {
com.amazonaws.auth.AWSCredentials result = delegate.getCredentials();
String sessionToken =
result instanceof AWSSessionCredentials
? ((AWSSessionCredentials) result).getSessionToken()
: null;
return new AWSCredentials(
result.getAWSAccessKeyId(), result.getAWSSecretKey(), sessionToken);
}
};
}
private AWSSecurityTokenService awsSecurityTokenServiceClient(AwsCredentialView awsCredential) {
if (!awsEnvironmentVariableChecker.isAwsAccessKeyAvailable(awsCredential)
|| !awsEnvironmentVariableChecker.isAwsSecretAccessKeyAvailable(awsCredential)) {
LOGGER.debug("AWSSecurityTokenServiceClient will use aws metadata because environment variables are undefined");
return AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(awsDefaultZoneProvider.getDefaultZone(awsCredential))
.withCredentials(new InstanceProfileCredentialsProvider())
.build();
} else {
LOGGER.debug("AWSSecurityTokenServiceClient will use environment variables");
return AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(awsDefaultZoneProvider.getDefaultZone(awsCredential))
.withCredentials(DefaultAWSCredentialsProviderChain.getInstance())
.build();
}
}
private synchronized void buildS3Handler() throws IOException {
if (handler == null) {
try {
final AWSCredentialsProvider credentialsProvider = new DefaultAWSCredentialsProviderChain();
final AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(credentialsProvider).build();
handler = new S3Handler(s3Client);
} catch (final AmazonServiceException ase) {
throw new IOException("Amazon S3 service failure for error type " + ase.getErrorType(), ase);
} catch (final AmazonClientException ace) {
throw new IOException("Amazon S3 client failure", ace);
}
}
}
@Bean
AmazonS3 s3(
@Value("${s3.endpoint.url}") String s3EndpointUrl,
@Value("${s3.endpoint.signingRegion}") String signingRegion) {
return AmazonS3Client
.builder()
.withCredentials(new DefaultAWSCredentialsProviderChain())
.withEndpointConfiguration(new EndpointConfiguration(s3EndpointUrl, signingRegion))
.build();
}
@Bean
@Lazy
AmazonS3 s3(
@Value("${s3.endpoint.url}") String s3EndpointUrl,
@Value("${s3.endpoint.signingRegion}") String signingRegion) {
return AmazonS3Client
.builder()
.withCredentials(new DefaultAWSCredentialsProviderChain())
.withEndpointConfiguration(new EndpointConfiguration(s3EndpointUrl, signingRegion))
.build();
}
@Override
public AWSGlue newClient() throws MetaException {
AWSGlueClientBuilder glueClientBuilder = AWSGlueClientBuilder.standard()
.withClientConfiguration(createGatewayTimeoutRetryableConfiguration())
.withCredentials(new DefaultAWSCredentialsProviderChain());
String endpoint = System.getProperty("endpoint");
if (StringUtils.isNotBlank(endpoint)) {
glueClientBuilder.setEndpointConfiguration(new EndpointConfiguration(endpoint, null));
}
return glueClientBuilder.build();
}
private static AWSCredentialsProvider getAwsCredentialsProvider(AwsSecurityConfig config)
{
if (config.getAccessKey().isPresent() && config.getSecretKey().isPresent()) {
return new AWSStaticCredentialsProvider(new BasicAWSCredentials(
config.getAccessKey().get(),
config.getSecretKey().get()));
}
return DefaultAWSCredentialsProviderChain.getInstance();
}
private static AWSCredentialsProvider getAwsCredentialsProvider(Configuration conf, HiveS3Config defaults)
{
Optional<AWSCredentials> credentials = getAwsCredentials(conf);
if (credentials.isPresent()) {
return new AWSStaticCredentialsProvider(credentials.get());
}
String providerClass = conf.get(S3_CREDENTIALS_PROVIDER);
if (!isNullOrEmpty(providerClass)) {
return getCustomAWSCredentialsProvider(conf, providerClass);
}
return DefaultAWSCredentialsProviderChain.getInstance();
}
@Test
public void testAssumeRoleDefaultCredentials()
throws Exception
{
Configuration config = new Configuration(false);
config.set(S3_IAM_ROLE, "test_role");
try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
fs.initialize(new URI("s3n://test-bucket/"), config);
AWSCredentialsProvider tokenService = getStsCredentialsProvider(fs, "test_role");
assertInstanceOf(tokenService, DefaultAWSCredentialsProviderChain.class);
}
}
@Test
public void testDefaultCredentials()
throws Exception
{
Configuration config = new Configuration(false);
try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
fs.initialize(new URI("s3n://test-bucket/"), config);
assertInstanceOf(getAwsCredentialsProvider(fs), DefaultAWSCredentialsProviderChain.class);
}
}
/**
* Constructor for the JCredStashWrapper
*
* @param region the aws region location of the KMS Client
* @param tableName name of the credentials table
* @param clientConfiguration the AWS client configuration
*/
public JCredStashWrapper(String region, String tableName, ClientConfiguration clientConfiguration)
{
AWSCredentialsProvider provider = new DefaultAWSCredentialsProviderChain();
AmazonDynamoDBClient ddb = new AmazonDynamoDBClient(provider, clientConfiguration).withRegion(Regions.fromName(region));
AWSKMSClient kms = new AWSKMSClient(provider, clientConfiguration).withRegion(Regions.fromName(region));
credstash = new JCredStash(tableName, ddb, kms, new CredStashBouncyCastleCrypto());
}
void setCredentialsProvider(ArtifactStoreConfig artifactStoreConfig) {
if (isNotBlank(artifactStoreConfig.getAwsAccessKeyId()) || isNotBlank(artifactStoreConfig.getAwsSecretAccessKey())) {
AWSStaticCredentialsProvider awsStaticCredentialsProvider = new AWSStaticCredentialsProvider(new BasicAWSCredentials(artifactStoreConfig.getAwsAccessKeyId(), artifactStoreConfig.getAwsSecretAccessKey()));
builder.setCredentials(awsStaticCredentialsProvider);
LOG.debug("Using the AWS keys configured in the specified artifact store.");
}
else {
builder.setCredentials(new DefaultAWSCredentialsProviderChain());
LOG.debug("Setting the default aws credentials chain provider. This happens if the specified artifact store does not have aws keys configured. The default chain checks for environment variables, system properties, credentials profile, instance profile.");
}
}
@Test
public void testImpliedDefaultCredentials() throws Throwable {
final TestRunner runner = TestRunners.newTestRunner(MockAWSProcessor.class);
runner.assertValid();
Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties);
Assert.assertNotNull(credentialsProvider);
assertEquals("credentials provider should be equal", DefaultAWSCredentialsProviderChain.class,
credentialsProvider.getClass());
}
/**
* Get the appropriate CredentialProvider for a given system stream.
* @param system name of the system
* @param stream name of the stream
* @return AWSCredentialsProvider
*/
AWSCredentialsProvider credentialsProviderForStream(String system, String stream) {
// Try to load credentials in the following order:
// 1. Access key from the config and passed in secretKey
// 2. From the default credential provider chain (environment variables, system properties, AWS profile file, etc)
return new AWSCredentialsProviderChain(
new KinesisAWSCredentialsProvider(getStreamAccessKey(system, stream), getStreamSecretKey(system, stream)),
new DefaultAWSCredentialsProviderChain());
}
@BeforeClass
public void initTest() throws IOException {
userFacade = new UserFacade();
contentFacade = new ContentFacade();
s3Client = new AmazonS3Client(new DefaultAWSCredentialsProviderChain()).withRegion(Regions.EU_WEST_1);
this.uploadDataToBucket();
}
private static AWSCredentialsProvider buildCredentialsProvider(Config config)
{
if (config.has("credentials.file")) {
return new PropertiesFileCredentialsProvider(
config.get("credentials.file", String.class));
}
else if (config.has("credentials.access-key-id")) {
final BasicAWSCredentials creds = new BasicAWSCredentials(
config.get("credentials.access-key-id", String.class),
config.get("credentials.secret-access-key", String.class));
return new AWSCredentialsProvider()
{
@Override
public AWSCredentials getCredentials()
{
return creds;
}
@Override
public void refresh()
{ }
};
}
else {
return new DefaultAWSCredentialsProviderChain();
}
}
public static AWSCredentialsProvider getCredentialsProvider(AWSConfig config) throws StageException {
AWSCredentialsProvider credentialsProvider = DefaultAWSCredentialsProviderChain.getInstance();
if (config.credentialMode == AWSCredentialMode.WITH_CREDENTIALS) {
if (!StringUtils.isEmpty(config.awsAccessKeyId.get()) && !StringUtils.isEmpty(config.awsSecretAccessKey.get())) {
credentialsProvider = new AWSStaticCredentialsProvider(
new BasicAWSCredentials(config.awsAccessKeyId.get(), config.awsSecretAccessKey.get())
);
}
}
return credentialsProvider;
}
@Bean(name = CREDENTIALS_PROVIDER_BEAN_NAME)
@ConditionalOnMissingBean(name = CREDENTIALS_PROVIDER_BEAN_NAME)
public AWSCredentialsProvider awsCredentialsProvider(
AwsCredentialsProperties properties) {
List<AWSCredentialsProvider> providers = resolveCredentialsProviders(properties);
if (providers.isEmpty()) {
return new DefaultAWSCredentialsProviderChain();
}
else {
return new AWSCredentialsProviderChain(providers);
}
}