1 /*
2 * Copyright 2014-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15 package com.amazonaws.auth.profile.internal.securitytoken;
16
17 import com.amazonaws.annotation.SdkProtectedApi;
18 import com.amazonaws.auth.AWSCredentials;
19 import com.amazonaws.auth.AWSCredentialsProvider;
20 import com.amazonaws.internal.StaticCredentialsProvider;
21
22 @SdkProtectedApi
23 public class RoleInfo implements Cloneable {
24 /**
25 * <p>
26 * The Amazon Resource Name (ARN) of the role to assume.
27 * </p>
28 */
29 private String roleArn;
30
31 /**
32 * <p>
33 * An identifier for the assumed role session.
34 * </p>
35 * <p>
36 * Use the role session name to uniquely identify a session when the same
37 * role is assumed by different principals or for different reasons. In
38 * cross-account scenarios, the role session name is visible to, and can be
39 * logged by the account that owns the role. The role session name is also
40 * used in the ARN of the assumed role principal. This means that subsequent
41 * cross-account API requests using the temporary security credentials will
42 * expose the role session name to the external account in their CloudTrail
43 * logs.
44 * </p>
45 */
46 private String roleSessionName;
47
48 /**
49 * <p>
50 * A unique identifier that is used by third parties when assuming roles in
51 * their customers' accounts. For each role that the third party can assume,
52 * they should instruct their customers to ensure the role's trust policy
53 * checks for the external ID that the third party generated. Each time the
54 * third party assumes the role, they should pass the customer's external
55 * ID. The external ID is useful in order to help third parties bind a role
56 * to the customer who created it. For more information about the external
57 * ID, see <a href=
58 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
59 * >How to Use an External ID When Granting Access to Your AWS Resources to
60 * a Third Party</a> in the <i>Using IAM</i>.
61 * </p>
62 */
63 private String externalId;
64
65 /**
66 * The absolute path to a JWT token file to be used when assuming a role
67 * via Web Identity Tokens.
68 */
69 private String webIdentityTokenFilePath;
70
71 /**
72 * <p>
73 * Provides the credentials that are used to assume the role.
74 * </p>
75 */
76 private AWSCredentialsProvider longLivedCredentialsProvider;
77
78 /**
79 * Default constructor for RoleInfo object. Callers should use the setter
80 * or fluent setter (with...) methods to initialize the object after
81 * creating it.
82 */
83 public RoleInfo() {
84 }
85
86 /**
87 * <p>
88 * The Amazon Resource Name (ARN) of the role to assume.
89 * </p>
90 *
91 * @param roleArn
92 * The Amazon Resource Name (ARN) of the role to assume.
93 */
94 public void setRoleArn(String roleArn) {
95 this.roleArn = roleArn;
96 }
97
98 /**
99 * <p>
100 * The Amazon Resource Name (ARN) of the role to assume.
101 * </p>
102 *
103 * @return The Amazon Resource Name (ARN) of the role to assume.
104 */
105 public String getRoleArn() {
106 return this.roleArn;
107 }
108
109 /**
110 * <p>
111 * The Amazon Resource Name (ARN) of the role to assume.
112 * </p>
113 *
114 * @param roleArn
115 * The Amazon Resource Name (ARN) of the role to assume.
116 * @return Returns a reference to this object so that method calls can be
117 * chained together.
118 */
119 public RoleInfo withRoleArn(String roleArn) {
120 setRoleArn(roleArn);
121 return this;
122 }
123
124 /**
125 * <p>
126 * An identifier for the assumed role session.
127 * </p>
128 * <p>
129 * Use the role session name to uniquely identify a session when the same
130 * role is assumed by different principals or for different reasons. In
131 * cross-account scenarios, the role session name is visible to, and can be
132 * logged by the account that owns the role. The role session name is also
133 * used in the ARN of the assumed role principal. This means that subsequent
134 * cross-account API requests using the temporary security credentials will
135 * expose the role session name to the external account in their CloudTrail
136 * logs.
137 * </p>
138 *
139 * @param roleSessionName
140 * An identifier for the assumed role session. </p>
141 * <p>
142 * Use the role session name to uniquely identify a session when the
143 * same role is assumed by different principals or for different
144 * reasons. In cross-account scenarios, the role session name is
145 * visible to, and can be logged by the account that owns the role.
146 * The role session name is also used in the ARN of the assumed role
147 * principal. This means that subsequent cross-account API requests
148 * using the temporary security credentials will expose the role
149 * session name to the external account in their CloudTrail logs.
150 */
151 public void setRoleSessionName(String roleSessionName) {
152 this.roleSessionName = roleSessionName;
153 }
154
155 /**
156 * <p>
157 * An identifier for the assumed role session.
158 * </p>
159 * <p>
160 * Use the role session name to uniquely identify a session when the same
161 * role is assumed by different principals or for different reasons. In
162 * cross-account scenarios, the role session name is visible to, and can be
163 * logged by the account that owns the role. The role session name is also
164 * used in the ARN of the assumed role principal. This means that subsequent
165 * cross-account API requests using the temporary security credentials will
166 * expose the role session name to the external account in their CloudTrail
167 * logs.
168 * </p>
169 *
170 * @return An identifier for the assumed role session. </p>
171 * <p>
172 * Use the role session name to uniquely identify a session when the
173 * same role is assumed by different principals or for different
174 * reasons. In cross-account scenarios, the role session name is
175 * visible to, and can be logged by the account that owns the role.
176 * The role session name is also used in the ARN of the assumed role
177 * principal. This means that subsequent cross-account API requests
178 * using the temporary security credentials will expose the role
179 * session name to the external account in their CloudTrail logs.
180 */
181 public String getRoleSessionName() {
182 return this.roleSessionName;
183 }
184
185 /**
186 * <p>
187 * An identifier for the assumed role session.
188 * </p>
189 * <p>
190 * Use the role session name to uniquely identify a session when the same
191 * role is assumed by different principals or for different reasons. In
192 * cross-account scenarios, the role session name is visible to, and can be
193 * logged by the account that owns the role. The role session name is also
194 * used in the ARN of the assumed role principal. This means that subsequent
195 * cross-account API requests using the temporary security credentials will
196 * expose the role session name to the external account in their CloudTrail
197 * logs.
198 * </p>
199 *
200 * @param roleSessionName
201 * An identifier for the assumed role session. </p>
202 * <p>
203 * Use the role session name to uniquely identify a session when the
204 * same role is assumed by different principals or for different
205 * reasons. In cross-account scenarios, the role session name is
206 * visible to, and can be logged by the account that owns the role.
207 * The role session name is also used in the ARN of the assumed role
208 * principal. This means that subsequent cross-account API requests
209 * using the temporary security credentials will expose the role
210 * session name to the external account in their CloudTrail logs.
211 * @return Returns a reference to this object so that method calls can be
212 * chained together.
213 */
214 public RoleInfo withRoleSessionName(String roleSessionName) {
215 setRoleSessionName(roleSessionName);
216 return this;
217 }
218
219 /**
220 * <p>
221 * A unique identifier that is used by third parties when assuming roles in
222 * their customers' accounts. For each role that the third party can assume,
223 * they should instruct their customers to ensure the role's trust policy
224 * checks for the external ID that the third party generated. Each time the
225 * third party assumes the role, they should pass the customer's external
226 * ID. The external ID is useful in order to help third parties bind a role
227 * to the customer who created it. For more information about the external
228 * ID, see <a href=
229 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
230 * >How to Use an External ID When Granting Access to Your AWS Resources to
231 * a Third Party</a> in the <i>Using IAM</i>.
232 * </p>
233 *
234 * @param externalId
235 * A unique identifier that is used by third parties when assuming
236 * roles in their customers' accounts. For each role that the third
237 * party can assume, they should instruct their customers to ensure
238 * the role's trust policy checks for the external ID that the third
239 * party generated. Each time the third party assumes the role, they
240 * should pass the customer's external ID. The external ID is useful
241 * in order to help third parties bind a role to the customer who
242 * created it. For more information about the external ID, see <a
243 * href=
244 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
245 * >How to Use an External ID When Granting Access to Your AWS
246 * Resources to a Third Party</a> in the <i>Using IAM</i>.
247 */
248 public void setExternalId(String externalId) {
249 this.externalId = externalId;
250 }
251
252 /**
253 * <p>
254 * A unique identifier that is used by third parties when assuming roles in
255 * their customers' accounts. For each role that the third party can assume,
256 * they should instruct their customers to ensure the role's trust policy
257 * checks for the external ID that the third party generated. Each time the
258 * third party assumes the role, they should pass the customer's external
259 * ID. The external ID is useful in order to help third parties bind a role
260 * to the customer who created it. For more information about the external
261 * ID, see <a href=
262 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
263 * >How to Use an External ID When Granting Access to Your AWS Resources to
264 * a Third Party</a> in the <i>Using IAM</i>.
265 * </p>
266 *
267 * @return A unique identifier that is used by third parties when assuming
268 * roles in their customers' accounts. For each role that the third
269 * party can assume, they should instruct their customers to ensure
270 * the role's trust policy checks for the external ID that the third
271 * party generated. Each time the third party assumes the role, they
272 * should pass the customer's external ID. The external ID is useful
273 * in order to help third parties bind a role to the customer who
274 * created it. For more information about the external ID, see <a
275 * href=
276 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
277 * >How to Use an External ID When Granting Access to Your AWS
278 * Resources to a Third Party</a> in the <i>Using IAM</i>.
279 */
280 public String getExternalId() {
281 return this.externalId;
282 }
283
284 /**
285 * <p>
286 * A unique identifier that is used by third parties when assuming roles in
287 * their customers' accounts. For each role that the third party can assume,
288 * they should instruct their customers to ensure the role's trust policy
289 * checks for the external ID that the third party generated. Each time the
290 * third party assumes the role, they should pass the customer's external
291 * ID. The external ID is useful in order to help third parties bind a role
292 * to the customer who created it. For more information about the external
293 * ID, see <a href=
294 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
295 * >How to Use an External ID When Granting Access to Your AWS Resources to
296 * a Third Party</a> in the <i>Using IAM</i>.
297 * </p>
298 *
299 * @param externalId
300 * A unique identifier that is used by third parties when assuming
301 * roles in their customers' accounts. For each role that the third
302 * party can assume, they should instruct their customers to ensure
303 * the role's trust policy checks for the external ID that the third
304 * party generated. Each time the third party assumes the role, they
305 * should pass the customer's external ID. The external ID is useful
306 * in order to help third parties bind a role to the customer who
307 * created it. For more information about the external ID, see <a
308 * href=
309 * "http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
310 * >How to Use an External ID When Granting Access to Your AWS
311 * Resources to a Third Party</a> in the <i>Using IAM</i>.
312 * @return Returns a reference to this object so that method calls can be
313 * chained together.
314 */
315 public RoleInfo withExternalId(String externalId) {
316 setExternalId(externalId);
317 return this;
318 }
319
320 /**
321 * Set the absolute path to the JWT file that contains a web identity token.
322 */
323 public void setWebIdentityTokenFilePath(String webIdentityTokenFilePath) {
324 this.webIdentityTokenFilePath = webIdentityTokenFilePath;
325 }
326
327 /**
328 * Get the absolute path to the JWT file that contains a web identity token.
329 * @return
330 */
331 public String getWebIdentityTokenFilePath() {
332 return webIdentityTokenFilePath;
333 }
334
335 /**
336 * Similar to {@link #setWebIdentityTokenFilePath(String)} but returns this for
337 * method chaining.
338 */
339 public RoleInfo withWebIdentityTokenFilePath(String webIdentityTokenFilePath) {
340 setWebIdentityTokenFilePath(webIdentityTokenFilePath);
341 return this;
342 }
343
344 /**
345 * <p>
346 * Provides the credentials that are used to assume the role.
347 * </p>
348 * @param longLivedCredentialsProvider long lived credentials provider
349 */
350 public void setLongLivedCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProvider) {
351 this.longLivedCredentialsProvider = longLivedCredentialsProvider;
352 }
353
354 /**
355 * <p>
356 * Provides the credentials that are used to assume the role.
357 * </p>
358 * @return long lived credentials provider
359 */
360 public AWSCredentialsProvider getLongLivedCredentialsProvider() {
361 return this.longLivedCredentialsProvider;
362 }
363
364 /**
365 * <p>
366 * Provides the credentials that are used to assume the role.
367 * </p>
368 * @param longLivedCredentialsProvider long lived credentials provider
369 * @return Returns a reference to this object so that method calls can be
370 * chained together.
371 */
372 public RoleInfo withLongLivedCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProvider) {
373 setLongLivedCredentialsProvider(longLivedCredentialsProvider);
374 return this;
375 }
376
377 /**
378 * <p>
379 * Provides the credentials that are used to assume the role.
380 * </p>
381 * @param longLivedCredentials long lived credentials
382 * @return Returns a reference to this object so that method calls can be
383 * chained together.
384 */
385 public RoleInfo withLongLivedCredentials(AWSCredentials longLivedCredentials) {
386 setLongLivedCredentialsProvider(new StaticCredentialsProvider(longLivedCredentials));
387 return this;
388 }
389
390 /**
391 * Returns a string representation of this object; useful for testing and
392 * debugging.
393 *
394 * @return A string representation of this object.
395 * @see java.lang.Object#toString()
396 */
397 @Override
398 public String toString() {
399 StringBuilder sb = new StringBuilder();
400 sb.append("{");
401 if (getRoleArn() != null)
402 sb.append("RoleArn: " + getRoleArn() + ",");
403 if (getRoleSessionName() != null)
404 sb.append("RoleSessionName: " + getRoleSessionName() + ",");
405 if (getExternalId() != null)
406 sb.append("ExternalId: " + getExternalId() + ",");
407 sb.append("}");
408 return sb.toString();
409 }
410
411 @Override
412 public boolean equals(Object obj) {
413 if (this == obj)
414 return true;
415 if (obj == null)
416 return false;
417
418 if (obj instanceof RoleInfo == false)
419 return false;
420
421 RoleInfo other = (RoleInfo) obj;
422 if (other.getRoleArn() == null ^ this.getRoleArn() == null)
423 return false;
424 if (other.getRoleArn() != null
425 && other.getRoleArn().equals(this.getRoleArn()) == false)
426 return false;
427 if (other.getRoleSessionName() == null
428 ^ this.getRoleSessionName() == null)
429 return false;
430 if (other.getRoleSessionName() != null
431 && other.getRoleSessionName().equals(this.getRoleSessionName()) == false)
432 return false;
433 if (other.getExternalId() == null ^ this.getExternalId() == null)
434 return false;
435 if (other.getExternalId() != null
436 && other.getExternalId().equals(this.getExternalId()) == false)
437 return false;
438 if (other.getLongLivedCredentialsProvider() != this.getLongLivedCredentialsProvider())
439 return false;
440 return true;
441 }
442
443 @Override
444 public int hashCode() {
445 final int prime = 31;
446 int hashCode = 1;
447
448 hashCode = prime * hashCode
449 + ((getRoleArn() == null) ? 0 : getRoleArn().hashCode());
450 hashCode = prime
451 * hashCode
452 + ((getRoleSessionName() == null) ? 0 : getRoleSessionName()
453 .hashCode());
454 hashCode = prime * hashCode
455 + ((getExternalId() == null) ? 0 : getExternalId().hashCode());
456 hashCode = prime * hashCode
457 + ((getLongLivedCredentialsProvider() == null) ? 0 : getLongLivedCredentialsProvider().hashCode());
458 return hashCode;
459 }
460
461 @Override
462 public RoleInfo clone() {
463 try {
464 return (RoleInfo) super.clone();
465 } catch (CloneNotSupportedException e) {
466 throw new IllegalStateException(
467 "Got a CloneNotSupportedException from Object.clone() "
468 + "even though we're Cloneable!", e);
469 }
470 }
471 }
472