AWS S3 upload without access and secret key in Java

Solution 1

You can use the below Java code to get the s3client instance when you are trying to connect to S3 bucket from EC2 instance.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
              .withCredentials(new InstanceProfileCredentialsProvider(false))
              .build();

This is the recommended way as the application doesn't require to maintain the access keys in property files.

• IAM role should be created and S3 access should be provided for that role. See the sample policy below.
• The IAM role should be assigned to the EC2 instance

Sample policy for IAM role:-

{
        "Action": ["s3:PutObject",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:DeleteObject"],
        "Resource": ["arn:aws:s3:::yourBucketName",
        "arn:aws:s3:::yourBucketName/*"],
        "Effect": "Allow",
        "Sid": "AllowBucketLinux"
    }

Solution 2

As per documentation AWS credentials provider chain that looks for credentials in this order :

1. Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET), or AWS_ACCESS_KEY and AWS_SECRET_KEY (only recognized by Java SDK)
2. Java System Properties - aws.accessKeyId and aws.secretKey
3. Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
4. Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable,
5. Instance profile credentials delivered through the Amazon EC2 metadata service

Check you have specify valid credentials in any of above.
Ref : http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

Author by

Sudipto Das

Updated on June 15, 2022