Two additional ways of access in AWS S3 (loic-sharma#277)

* Add Assume Role option

If AWS AssumeRoleArn is specified, the ServiceCollectionExtensions for S3 gets FallbackCredentials (instance profile) then uses those credentials to assume the role specified in AssumeRoleArn. The AssumeRoleCredentials class in AwsIamHelper manages session timeouts automatically by validating and retrieving a new token on use.

* Adding the option for UseInstanceProfile back

As it seems the credentials will not time out. The role assumption works also, and is useful for assuming a role for cross account access.

* Update nuget version of newtonsoft, to pass the build test pipeline

Author: richarddowner

src/BaGet.AWS/Configuration/S3StorageOptions.cs

@@ -1,4 +1,4 @@
-using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations;
 using BaGet.Core.Validation;
 
 namespace BaGet.AWS.Configuration
@@ -18,5 +18,9 @@ public class S3StorageOptions
         public string Bucket { get; set; }
 
         public string Prefix { get; set; }
+
+        public bool UseInstanceProfile { get; set; }
+
+        public string AssumeRoleArn { get; set; }
     }
 }

src/BaGet.AWS/Extensions/ServiceCollectionExtensions.cs

@@ -1,7 +1,9 @@
+using System;
 using Amazon;
 using Amazon.Runtime;
 using Amazon.S3;
 using BaGet.AWS.Configuration;
+using BaGet.AWS.Helpers;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 
@@ -20,6 +22,22 @@ public static IServiceCollection AddS3StorageService(this IServiceCollection ser
                     RegionEndpoint = RegionEndpoint.GetBySystemName(options.Region)
                 };
 
+                if (options.UseInstanceProfile)
+                {
+                    var credentials = FallbackCredentialsFactory.GetCredentials();
+                    return new AmazonS3Client(credentials, config);
+                }
+                
+                if (!string.IsNullOrEmpty(options.AssumeRoleArn))
+                {
+                    var credentials = FallbackCredentialsFactory.GetCredentials();
+                    var assumedCredentials = AwsIamHelper
+                        .AssumeRoleAsync(credentials, options.AssumeRoleArn, $"BaGet-Session-{Guid.NewGuid()}").GetAwaiter().GetResult();
+
+                    return new AmazonS3Client(assumedCredentials, config);
+                }
+                    
+
                 if (!string.IsNullOrEmpty(options.AccessKey))
                     return new AmazonS3Client(new BasicAWSCredentials(options.AccessKey, options.SecretKey), config);
 

src/BaGet.AWS/Helpers/AwsIamHelper.cs

@@ -0,0 +1,23 @@
+using System;
+using System.Threading.Tasks;
+using Amazon.Runtime;
+
+namespace BaGet.AWS.Helpers
+{
+    public static class AwsIamHelper
+    {
+        public static async Task<AWSCredentials> AssumeRoleAsync(AWSCredentials credentials, string roleArn,
+            string roleSessionName)
+        {
+            var assumedCredentials = new AssumeRoleAWSCredentials(credentials, roleArn, roleSessionName);
+            var immutableCredentials = await credentials.GetCredentialsAsync();
+
+            if (string.IsNullOrWhiteSpace(immutableCredentials.Token))
+            {
+                throw new InvalidOperationException($"Unable to assume role {roleArn}");
+            }
+
+            return assumedCredentials;
+        }
+    }
+}