List of usage examples for com.amazonaws.services.securitytoken.model AssumeRoleWithSAMLRequest AssumeRoleWithSAMLRequest
AssumeRoleWithSAMLRequest
From source file:com.okta.tools.awscli.java
License:Open Source License
private static AssumeRoleWithSAMLResult assumeAWSRole(String resultSAML) { // Decode SAML response resultSAML = resultSAML.replace("+", "+").replace("=", "="); String resultSAMLDecoded = new String(Base64.decodeBase64(resultSAML)); ArrayList<String> principalArns = new ArrayList<String>(); ArrayList<String> roleArns = new ArrayList<String>(); //When the app is not assigned to you no assertion is returned if (!resultSAMLDecoded.contains("arn:aws")) { logger.error("\nYou do not have access to AWS through Okta. \nPlease contact your administrator."); System.exit(0);/* w ww .j a v a 2 s.c o m*/ } System.out.println("\nPlease choose the role you would like to assume: "); //Gather list of applicable AWS roles int i = 0; while (resultSAMLDecoded.indexOf("arn:aws") != -1) { /*Trying to parse the value of the Role SAML Assertion that typically looks like this: <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> arn:aws:iam::[AWS-ACCOUNT-ID]:saml-provider/Okta,arn:aws:iam::[AWS-ACCOUNT-ID]:role/[ROLE_NAME] </saml2:AttributeValue> </saml2:Attribute> */ int start = resultSAMLDecoded.indexOf("arn:aws"); int end = resultSAMLDecoded.indexOf("</saml2:", start); String resultSAMLRole = resultSAMLDecoded.substring(start, end); String[] parts = resultSAMLRole.split(","); principalArns.add(parts[0]); roleArns.add(parts[1]); System.out.println("[ " + (i + 1) + " ]: " + roleArns.get(i)); resultSAMLDecoded = (resultSAMLDecoded .substring(resultSAMLDecoded.indexOf("</saml2:AttributeValue") + 1)); i++; } //Prompt user for role selection int selection = numSelection(roleArns.size()); String principalArn = principalArns.get(selection); String roleArn = roleArns.get(selection); crossAccountRoleName = roleArn.substring(roleArn.indexOf("/") + 1); //creates empty AWS credentials to prevent the AWSSecurityTokenServiceClient object from unintentionally loading the previous profile we just created BasicAWSCredentials awsCreds = new BasicAWSCredentials("", ""); //use user credentials to assume AWS role AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(awsCreds); AssumeRoleWithSAMLRequest assumeRequest = new AssumeRoleWithSAMLRequest().withPrincipalArn(principalArn) .withRoleArn(roleArn).withSAMLAssertion(resultSAML).withDurationSeconds(3600); //default token duration to 12 hours return stsClient.assumeRoleWithSAML(assumeRequest); }