List of usage examples for com.amazonaws.services.securitytoken AWSSecurityTokenServiceClientBuilder standard
public static AWSSecurityTokenServiceClientBuilder standard()
From source file:com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.java
License:Open Source License
public AWSCredentials getCredentials() { AWSCredentials initialCredentials = new BasicAWSCredentials(accessKey, secretKey.getPlainText()); if (StringUtils.isBlank(iamRoleArn)) { return initialCredentials; } else {/*from w w w . j av a 2 s.c o m*/ // Check for available region from the SDK, otherwise specify default String clientRegion = null; DefaultAwsRegionProviderChain sdkRegionLookup = new DefaultAwsRegionProviderChain(); try { clientRegion = sdkRegionLookup.getRegion(); } catch (com.amazonaws.SdkClientException e) { LOGGER.log(Level.WARNING, "Could not find default region using SDK lookup.", e); } if (clientRegion == null) { clientRegion = Regions.DEFAULT_REGION.getName(); } AWSSecurityTokenService client; // Handle the case of delegation to instance profile if (StringUtils.isBlank(accessKey) && StringUtils.isBlank(secretKey.getPlainText())) { client = AWSSecurityTokenServiceClientBuilder.standard().withRegion(clientRegion).build(); } else { client = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(new AWSStaticCredentialsProvider(initialCredentials)) .withRegion(clientRegion).build(); } AssumeRoleRequest assumeRequest = createAssumeRoleRequest(iamRoleArn) .withDurationSeconds(this.getStsTokenDuration()); AssumeRoleResult assumeResult = client.assumeRole(assumeRequest); return new BasicSessionCredentials(assumeResult.getCredentials().getAccessKeyId(), assumeResult.getCredentials().getSecretAccessKey(), assumeResult.getCredentials().getSessionToken()); } }
From source file:com.netflix.genie.common.internal.aws.s3.S3ClientFactory.java
License:Apache License
/** * Constructor.//from w w w .j ava 2s. c om * * @param awsCredentialsProvider The base AWS credentials provider to use for the generated S3 clients * @param regionProvider How this factory should determine the default {@link Regions} * @param environment The Spring application {@link Environment} */ public S3ClientFactory(final AWSCredentialsProvider awsCredentialsProvider, final AwsRegionProvider regionProvider, final Environment environment) { this.awsCredentialsProvider = awsCredentialsProvider; /* * Use the Spring property binder to dynamically map properties under a common root into a map of key to object. * * In this case we're trying to get bucketName -> BucketProperties * * So if there were properties like: * genie.aws.s3.buckets.someBucket1.roleARN = blah * genie.aws.s3.buckets.someBucket2.region = us-east-1 * genie.aws.s3.buckets.someBucket2.roleARN = blah * * The result of this should be two entries in the map "bucket1" and "bucket2" mapping to property binding * object instances of BucketProperties with the correct property set or null if option wasn't specified. */ this.bucketProperties = Binder.get(environment) .bind(BUCKET_PROPERTIES_ROOT_KEY, Bindable.mapOf(String.class, BucketProperties.class)) .orElse(Collections.emptyMap()); // Set the initial size to the number of special cases defined in properties + 1 for the default client // NOTE: Should we proactively create all necessary clients or be lazy about it? For now, lazy. final int initialCapacity = this.bucketProperties.size() + 1; this.clientCache = new ConcurrentHashMap<>(initialCapacity); this.transferManagerCache = new ConcurrentHashMap<>(initialCapacity); String tmpRegion; try { tmpRegion = regionProvider.getRegion(); } catch (final SdkClientException e) { tmpRegion = Regions.getCurrentRegion() != null ? Regions.getCurrentRegion().getName() : Regions.US_EAST_1.getName(); log.warn("Couldn't determine the AWS region from the provider ({}) supplied. Defaulting to {}", regionProvider.toString(), tmpRegion); } this.defaultRegion = Regions.fromName(tmpRegion); // Create a token service client to use if we ever need to assume a role // TODO: Perhaps this should be just set to null if the bucket properties are empty as we'll never need it? this.stsClient = AWSSecurityTokenServiceClientBuilder.standard().withRegion(this.defaultRegion) .withCredentials(this.awsCredentialsProvider).build(); this.bucketToClientKey = new ConcurrentHashMap<>(); }
From source file:com.netflix.genie.web.util.S3ClientFactory.java
License:Apache License
/** * Get an S3 client given the configuration of the system. * * @return an S3 client//from w w w. ja v a2 s . c om */ public AmazonS3 getS3Client() { if (this.assumeRole) { // TODO: It's possible this could be optimized to reuse a client that a role has already been assumed for // it would take more logic in this class and likely isn't worth it right now before we decide how // 4.x may work best. As it is now create a new client every time one is requested to assume a role // See: https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html final AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(this.awsCredentialsProvider) .withClientConfiguration(this.awsClientConfiguration).withRegion(this.awsRegion).build(); final AssumeRoleRequest roleRequest = new AssumeRoleRequest().withRoleArn(this.roleArn) .withRoleSessionName("Genie-" + UUID.randomUUID().toString()); final AssumeRoleResult roleResult = stsClient.assumeRole(roleRequest); final Credentials sessionCredentials = roleResult.getCredentials(); final BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials( sessionCredentials.getAccessKeyId(), sessionCredentials.getSecretAccessKey(), sessionCredentials.getSessionToken()); return AmazonS3ClientBuilder.standard() .withCredentials(new AWSStaticCredentialsProvider(basicSessionCredentials)) .withClientConfiguration(this.awsClientConfiguration).withRegion(this.awsRegion).build(); } else { return this.defaultS3Client; } }
From source file:com.trulia.stail.Stail.java
License:Apache License
public static void main(String[] args) { final Stail stail = new Stail(); JCommander jct = new JCommander(stail); jct.setProgramName("stail"); try {//from w w w . j av a 2 s .c o m jct.parse(args); AWSCredentialsProvider credentialsProvider = new DefaultAWSCredentialsProviderChain(); if (stail.profile != null) { credentialsProvider = new ProfileCredentialsProvider(stail.profile); } if (stail.role != null) { credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(stail.role, "stail") .withStsClient(AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(credentialsProvider).build()) .build(); } AmazonKinesis client = AmazonKinesisClientBuilder.standard().withRegion(stail.region) .withCredentials(credentialsProvider).build(); // prepare the initial shard iterators at the LATEST position Map<Shard, String> shardIterators = getShardIterators(client, stail.stream, stail.start); IRecordProcessor processor = stail.json ? new JSONRecordProcessor() : new RawRecordProcessor(); Map<Shard, RateLimiter> rateLimiters = new HashMap<>(); shardIterators.keySet() .forEach(shard -> rateLimiters.put(shard, RateLimiter.create(MAX_SHARD_THROUGHPUT))); long end = Strings.isNullOrEmpty(stail.duration) ? Long.MAX_VALUE : System.currentTimeMillis() + Duration.parse(stail.duration).toMillis(); Set<String> reshardedShards = new HashSet<>(); Map<Shard, String> sequenceNumbers = new HashMap<>(); while (System.currentTimeMillis() < end) { if (!reshardedShards.isEmpty()) { // get the new list of shards List<Shard> shards = getShards(client, stail.stream); for (Shard shard : shards) { if (!Strings.isNullOrEmpty(shard.getParentShardId()) && reshardedShards.contains(shard.getParentShardId())) { // the old shard was split, so we need to consume this new shard from the beginning shardIterators.put(shard, getOldestShardIterator(client, stail.stream, shard)); } else if (!Strings.isNullOrEmpty(shard.getAdjacentParentShardId()) && reshardedShards.contains(shard.getAdjacentParentShardId())) { // the old shards were merged into a new shard shardIterators.put(shard, getOldestShardIterator(client, stail.stream, shard)); } } reshardedShards.clear(); } for (Shard shard : Lists.newArrayList(shardIterators.keySet())) { String shardIterator = shardIterators.remove(shard); GetRecordsRequest getRecordsRequest = new GetRecordsRequest(); getRecordsRequest.setShardIterator(shardIterator); getRecordsRequest.setLimit(BATCH_SIZE); try { GetRecordsResult getRecordsResult = client.getRecords(getRecordsRequest); List<Record> records = getRecordsResult.getRecords(); processor.processRecords(records, null); shardIterator = getRecordsResult.getNextShardIterator(); if (records.size() <= 0) { // nothing on the stream yet, so lets wait a bit to see if something appears TimeUnit.SECONDS.sleep(1); } else { int bytesRead = records.stream().map(record -> record.getData().position()) .reduce((_1, _2) -> _1 + _2).get(); sequenceNumbers.put(shard, records.get(records.size() - 1).getSequenceNumber()); // optionally sleep if we have hit the limit for this shard rateLimiters.get(shard).acquire(bytesRead); } if (!Strings.isNullOrEmpty(shardIterator)) { shardIterators.put(shard, shardIterator); } else { reshardedShards.add(shard.getShardId()); } } catch (ProvisionedThroughputExceededException e) { logger.warn("tripped the max throughput. Backing off: {}", e.getMessage()); TimeUnit.SECONDS.sleep(6); // we tripped the max throughput. Back off // add the original iterator back into the map so we can try it again shardIterators.put(shard, shardIterator); } catch (ExpiredIteratorException e) { logger.debug("Iterator expired", e); String sequenceNumber = sequenceNumbers.get(shard); if (sequenceNumber == null) { logger.warn("No previously known sequence number for {}. Moving to LATEST", shard.getShardId()); shardIterators.put(shard, getShardIterator(client, stail.stream, shard, null)); } else { shardIterators.put(shard, getShardIteratorAtSequenceNumber(client, stail.stream, shard, sequenceNumber)); } } } } } catch (ParameterException e) { jct.usage(); System.exit(1); } catch (InterruptedException e) { Thread.currentThread().interrupt(); System.exit(2); } }
From source file:org.apache.druid.indexing.kinesis.KinesisRecordSupplier.java
License:Apache License
public static AmazonKinesis getAmazonKinesisClient(String endpoint, AWSCredentialsConfig awsCredentialsConfig, String awsAssumedRoleArn, String awsExternalId) { AWSCredentialsProvider awsCredentialsProvider = AWSCredentialsUtils .defaultAWSCredentialsProviderChain(awsCredentialsConfig); if (awsAssumedRoleArn != null) { log.info("Assuming role [%s] with externalId [%s]", awsAssumedRoleArn, awsExternalId); STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder( awsAssumedRoleArn, StringUtils.format("druid-kinesis-%s", UUID.randomUUID().toString())) .withStsClient(AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(awsCredentialsProvider).build()); if (awsExternalId != null) { builder.withExternalId(awsExternalId); }//from ww w. j a va2 s .c o m awsCredentialsProvider = builder.build(); } return AmazonKinesisClientBuilder.standard().withCredentials(awsCredentialsProvider) .withClientConfiguration(new ClientConfiguration()) .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpoint, AwsHostNameUtils.parseRegion(endpoint, null))) .build(); }
From source file:zipkin.autoconfigure.collector.kinesis.ZipkinKinesisCredentialsAutoConfiguration.java
License:Apache License
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */ @Bean/* w ww. j a va 2 s.co m*/ @ConditionalOnMissingBean @Conditional(STSSetCondition.class) AWSSecurityTokenService securityTokenService(ZipkinKinesisCollectorProperties properties) { return AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(getDefaultCredentialsProvider(properties)).withRegion(properties.awsStsRegion) .build(); }
From source file:zipkin.autoconfigure.collector.sqs.ZipkinSQSCredentialsAutoConfiguration.java
License:Apache License
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */ @Bean//from w w w .j av a2s . c o m @ConditionalOnMissingBean @Conditional(STSSetCondition.class) AWSSecurityTokenService securityTokenService(ZipkinSQSCollectorProperties properties) { return AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(getDefaultCredentialsProvider(properties)).withRegion(properties.awsStsRegion) .build(); }