I am trying to connect to my aws s3 client using roleArn instead of static secretKey and accessKey
for the roleArn i created Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
and i attached for it policy for s3 operations
{
...,
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:Put*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*partOfMyBucketName*"
}
}
Here is my AwsS3Configuration.java class
@Configuration
public class AwsS3Configuration {
@Value("${aws.roleArn}")
private String roleARN;
@Bean
public AmazonS3 awsS3client() {
try {
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(US_EAST_1)
.build();
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName("sessionName");
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),
sessionCredentials.getSecretAccessKeyId(),
sessionCredentials.getSessionToken()
);
return AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withRegion(US_EAST_1)
.build();
} catch (AmazonServiceException e) {
e.printStackTrace();
} catch (SdkClientException e) {
e.printStackTrace();
}
return null;
}
With this configuration i am getting bellow exception:
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from envrionment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: Unable to execute HTTP request: Connect to sts.us-east-1.amazonaws.com:443 [sts.us-east-1.amazonaws.com/209.54.177.185] failed: Connect timed out, com.amazonaws.auth.profile.ProfileCredentialsProvider@2de0f3e3: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6f102740: Failed to connect to service endpoint: ]
Do You know if i am missing something ?
2
Answers
There is a AWS SDK for Java V2 example that shows this use case. You should upgrade to V2 as V1 is on the road to deprecation. See:
https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-java-v1-x-on-december-31-2025/
You can find this code example in AWS Code Lib:
https://docs.aws.amazon.com/code-library/latest/ug/iam_example_iam_Scenario_CreateUserAssumeRole_section.html
Notice this is shown in the code:
The Role you have created, should be attached to something (service – user) within AWS, then you can use it from outside if you attached it to a user.
But, you’re creating it the role within AWS, and you want something from outside, which doesn’t have any credentials to connect to your AWS account to consume it. you need to create a programmatic user to be able to access the AWS account, which in this case the Secret Key and access Key, then you attach this role to that programmatic user.
and if you want to use that role within AWS and your code is running in an EC2 or something, then you just have to attach that role to the service, without using sessionCredentials. The sessionCredentials can be useful if you’re from outside, and if you have accessKey and secretKey, not by a ROLE.