Using impersonation roles
To access mailbox data, use the Amazon WorkMail API action AssumeImpersonationRole
.
For more details on Amazon WorkMail APIs, see API
Reference.
AssumeImpersonationRole
returns a Token
. This
Token
must be passed within 15 minutes to the EWS protocol through the HTTP header
Authorization
.
The following examples demonstrate how to use impersonation roles with the EWS protocol. The constants used in the examples specify the following details unique to your organization and account:
– Amazon WorkMail organization IDWORKMAIL_ORGANIZATION_ID
– Impersonation role IDIMPERSONATION_ROLE_ID
– EWS endpoint available at Amazon WorkMail endpoints and quotasWORKMAIL_EWS_URL
– Email address of the user mailboxEMAIL_ADDRESS
Example Java – EWS Java API
import software.amazon.awssdk.services.workmail.WorkMailClient; import software.amazon.awssdk.services.workmail.model.AssumeImpersonationRoleRequest; import software.amazon.awssdk.services.workmail.model.AssumeImpersonationRoleResponse; import microsoft.exchange.webservices.data.core.ExchangeService; import microsoft.exchange.webservices.data.core.enumeration.misc.ExchangeVersion; import microsoft.exchange.webservices.data.misc.ImpersonatedUserId; import microsoft.exchange.webservices.data.core.enumeration.misc.ConnectingIdType; // ... AssumeImpersonationRoleResponse response = workMailClient.assumeImpersonationRole( AssumeImpersonationRoleRequest.builder() .organizationId(WORKMAIL_ORGANIZATION_ID
) .impersonationRoleId(IMPERSONATION_ROLE_ID
) .build()); ExchangeService exchangeService = new ExchangeService(ExchangeVersion.Exchange2010_SP2); exchangeService.setUrl(URI.create(WORKMAIL_EWS_URL
)); exchangeService.getHttpHeaders().put("Authorization", "Bearer " + response.token()); exchangeService.setImpersonatedUserId(new ImpersonatedUserId(ConnectingIdType.SmtpAddress,EMAIL_ADDRESS
));
Example .Net – EWS Managed API
using Amazon.WorkMail; using Amazon.WorkMail.Model; using Microsoft.Exchange.WebServices.Data; // ... AssumeImpersonationRoleRequest request = new AssumeImpersonationRoleRequest(); request.OrganizationId =WORKMAIL_ORGANIZATION_ID
; request.ImpersonationRoleId =IMPERSONATION_ROLE_ID
; AssumeImpersonationRoleResponse response = workMailClient.AssumeImpersonationRole(request); ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP2); service.Url = new Uri(WORKMAIL_EWS_URL
); service.HttpHeaders.Add("Authorization", "Bearer " + response.Token); service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress,EMAIL_ADDRESS
);
Example Python – Exchangelib
import boto3 from requests.auth import AuthBase from exchangelib.transport import AUTH_TYPE_MAP from exchangelib import Configuration, Account, Version, IMPERSONATION from exchangelib.version import EXCHANGE_2010_SP2 work_mail_client = boto3.client("workmail") class ImpersonationRoleAuth(AuthBase): def __init__(self): self.token = work_mail_client.assume_impersonation_role( OrganizationId=WORKMAIL_ORGANIZATION_ID
, ImpersonationRoleId=IMPERSONATION_ROLE_ID
)["Token"] def __call__(self, r): r.headers["Authorization"] = "Bearer " + self.token return r AUTH_TYPE_MAP["ImpersonationRoleAuth"] = ImpersonationRoleAuth ews_config = Configuration( service_endpoint=WORKMAIL_EWS_URL
, version=Version(build=EXCHANGE_2010_SP2), auth_type="ImpersonationRoleAuth" ) ews_account = Account( config=ews_config, primary_smtp_address=EMAIL_ADDRESS
, access_type=IMPERSONATION )