I have a S3 Object which i would like to query/download via JAVA AWS SDK
and for this i would be using AWS Role ARN. instead of using credentials
Is there a way we can do this using AWSCredentialsProvider
Expecting some means to do this via AWSCredentialsProvider
Could not find the right interface from the Library
2
Answers
It is not possible to access Amazon S3 by merely specifying the ARN of an IAM Role. (An ARN is considered public knowledge and does not convey any permissions.)
To ‘use’ an IAM Role, you first need to use permanent credentials such as those associated with an IAM User.
Then, using those credentials, you need to call
AssumeRole(), passing the ARN of the IAM Role you wish to use (or ‘assume’). The IAM User must have permission to callAssumeRoleon the IAM Role.Then, you will receive back a set of temporary credentials that you can use to access Amazon S3.
However, if your code is running on an Amazon EC2 instance and the IAM Role have already been assigned to the EC2 instance, then your code can simply call S3 directly. The credentials will be provided by the EC2 instance metadata service.
To do what you are looking for, you need to use the the StsClient service client and invoke the assumeRole() method. This gives you temp creds that you can use to perform an AWS Service operation that includes S3 operatons.
To learn how to do this, I recommend looking at the example in the AWS Code Library where there is a full end to end example that performs these tasks:
See —
Create an IAM user and assume a role with AWS STS using an AWS SDK