How to use IAM role with AWS Java SDK
Solution 1
You can use role based authentication only on EC2 Instances, ECS Containers and Lambda functions. It is not possible to use them locally or on on premise servers.
DefaultAWSCredentialsProviderChain will automatically pick the EC2 Instance Role if it can't find the credentials via any of other methods. You can also create a custom AWSCredentialsProviderChain object with only injecting a instance of InstanceProfileCredentialsProvider to it like here
AWSCredentialsProviderChain myCustomChain = new AWSCredentialsProviderChain(new InstanceProfileCredentialsProvider());
For more info: https://docs.aws.amazon.com/java-sdk/latest/developer-guide/java-dg-roles.html
Solution 2
It's been a while, but this is not currently the case, it is now possible to use assume role with the Java SDK with a user. You can configure credentials in your .aws/credentials
file as follows:
[useraccount]
aws_access_key_id=<key>
aws_secret_access_key=<secret>
[somerole]
role_arn=<the ARN of the role you want to assume>
source_profile=useraccount
Then, when you launch, set an environment variable: AWS_PROFILE=somerole
The SDK will use the credentials defined in useraccount
to call assumeRole
with the role_arn
you provided. You'll of course need to be sure that the user with those credentials has the permissions to assume that role.
Note that if you're not including the full Java SDK in your project (i.e. you're including just the libraries for the services you need), you also need to include the aws-java-sdk-sts
library in your classpath for this to work.
It is also possible to do all of this programmatically using STSAssumeRoleSessionCredentialsProvider
, but this would require you to directly configure all of the services so it might not be as convenient as the profile approach which should just work for all services.
Lovey
Can code, cook, cheer, care..in short....Nothing special.....but passionately curious.............:)
Updated on June 07, 2022Comments
-
Lovey almost 2 years
My use case is as follows:
I need to push some data into AWS SQS queue using JAVA SDK and by help of IAM role (not using credential provider implementation).
Is there any way to do that?
Thanks for help in advance.
-
Lovey over 7 yearsThanks for the reply! IAM roles can also be associated on in ECS level (task/container). Not sure why you are saying that its limitation is only on EC2 level.
-
Çağatay Gürtürk over 7 yearsSorry, I know it's a new functionality and that's why I just forgot. Lambda functions also can use roles.
-
Mr.Pramod Anarase over 5 yearsquestion is regarding not to use credentials but in your answer you indirectly using credential only, right?
-
janos almost 5 yearsThanks, this really helped me out. Btw, the aws-java-sdk-sts" in gradle is the artifact
software.amazon.awssdk:sts:VERSION
(confirmed it works with version =2.5.29
) -
Ben M almost 3 yearsGradle has nothign to do with it. I think what you meant is: The Artifact to use when using the AWS SDK for Java 2.x is
software.amazon.awssdk:sts
vscom.amazonaws:aws-java-sdk-sts
for of the AWS SDK for Java 1.x