Test credentials using sts:GetCallerIdentity.

iterate-ch · Nov 1, 2024 · 3965219 · 3965219
1 parent 93069ec
commit 3965219
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/s3/src/main/java/ch/cyberduck/core/s3/S3Session.java b/s3/src/main/java/ch/cyberduck/core/s3/S3Session.java
@@ -28,7 +28,9 @@
 import ch.cyberduck.core.PathContainerService;
 import ch.cyberduck.core.Scheme;
 import ch.cyberduck.core.UrlProvider;
+import ch.cyberduck.core.auth.AWSCredentialsConfigurator;
 import ch.cyberduck.core.auth.AWSSessionCredentialsRetriever;
+import ch.cyberduck.core.aws.CustomClientConfiguration;
 import ch.cyberduck.core.cdn.Distribution;
 import ch.cyberduck.core.cdn.DistributionConfiguration;
 import ch.cyberduck.core.cloudfront.CloudFrontDistributionConfigurationPreloader;
@@ -59,6 +61,7 @@
 import ch.cyberduck.core.ssl.X509KeyManager;
 import ch.cyberduck.core.ssl.X509TrustManager;
 import ch.cyberduck.core.sts.STSAssumeRoleCredentialsRequestInterceptor;
+import ch.cyberduck.core.sts.STSExceptionMappingService;
 import ch.cyberduck.core.threading.CancelCallback;
 
 import org.apache.http.HttpHeaders;
@@ -87,6 +90,12 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
+import com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException;
+import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
+import com.amazonaws.services.securitytoken.model.GetCallerIdentityResult;
+
 import static com.amazonaws.services.s3.Headers.*;
 
 public class S3Session extends HttpSession<RequestEntityRestStorageService> {
@@ -336,6 +345,25 @@ public void login(final LoginCallback prompt, final CancelCallback cancel) throw
             return;
         }
         try {
+            if(S3Session.isAwsHostname(host.getHostname(), false)) {
+                final CustomClientConfiguration configuration = new CustomClientConfiguration(host,
+                        new ThreadLocalHostnameDelegatingTrustManager(trust, host.getHostname()), key);
+                final AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard()
+                        .withCredentials(AWSCredentialsConfigurator.toAWSCredentialsProvider(client.getProviderCredentials()))
+                        .withClientConfiguration(configuration);
+                final AWSSecurityTokenService service = builder.build();
+                // Returns details about the IAM user or role whose credentials are used to call the operation.
+                // No permissions are required to perform this operation.
+                try {
+                    final GetCallerIdentityResult identity = service.getCallerIdentity(new GetCallerIdentityRequest());
+                    if(log.isDebugEnabled()) {
+                        log.debug(String.format("Successfully verified credentials for %s", identity));
+                    }
+                }
+                catch(AWSSecurityTokenServiceException e) {
+                    throw new STSExceptionMappingService().map(e);
+                }
+            }
             final Path home = new DelegatingHomeFeature(new DefaultPathHomeFeature(host)).find();
             if(home.isRoot()) {
                 if(log.isDebugEnabled()) {