Aws-sdk-java-v2: Example of role based access using S3Client?

Created on 16 Nov 2019  路  2Comments  路  Source: aws/aws-sdk-java-v2

Looking for an example for using role-based access to S3 files. I have the role defined and would be using it from java spring boot service running in K8S.

Expected Behavior

Would like code example like https://github.com/isuftin/s3-access-example/blob/master/src/main/java/gov/usgs/cida/aws/AwsS3AccessUtil.java only using the AWS SDK V2.

Current Behavior

Not sure which CredentialProvider to use, STSAssumeRoleCredentialsProvider? Also not sure how to create the initial StsClient? Is InstanceProfileCredentialProvider the right one to use? I'

Latest attempt is returning 403's.

  public AWSFileProvider(String roleName, String bucketName) {
        this.bucketName = bucketName;
        String roleSessionName = "WBCSession-" + Thread.currentThread().getId();
        AwsCredentialsProvider awsCredentialsProvider = roleCredentialsProvider(roleName,roleSessionName);

        this.client = S3Client.builder()
                .region(Region.US_EAST_1)
                .credentialsProvider(awsCredentialsProvider)
                .build();

    }

private StsAssumeRoleCredentialsProvider roleCredentialsProvider(String roleArn, String roleSessionName) {
        InstanceProfileCredentialsProvider instanceProfileCredentialsProvider = InstanceProfileCredentialsProvider.create();
        StsClient stsClient = StsClient.builder()
                .region(Region.US_EAST_1)
                .credentialsProvider(instanceProfileCredentialsProvider).build();

        AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
                .roleArn(roleArn)
                .roleSessionName(roleSessionName)
                .build();


        return StsAssumeRoleCredentialsProvider.builder()
                .refreshRequest(assumeRoleRequest)
                .stsClient(stsClient)
                .build();
    }

We also have a podAnnotation in our helm charts (used by K8S)

podAnnotations:
  iam.amazonaws.com/role: wbc-s3-allow-assume

Your Environment

  • AWS Java SDK version used:
  • JDK version used:
  • Operating System and version:

SDK2, Java 11, compiling on Linux based Jenkins, deploying to AWS K8S environment (EKS)

guidance

Most helpful comment

Figured it out on my own...

   public AWSFileProvider(String roleName, String bucketName) {
        this.bucketName = bucketName;
        String roleSessionName = "WBCSession-" + Thread.currentThread().getId();
        AwsCredentialsProvider awsCredentialsProvider = roleCredentialsProvider(roleName,roleSessionName);

        this.client = S3Client.builder()
                .region(Region.US_EAST_1)
                .credentialsProvider(awsCredentialsProvider)
                .build();

     }

    private AwsCredentialsProvider roleCredentialsProvider(String roleArn, String roleSessionName) {
        AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
                .roleArn(roleArn)
                .roleSessionName(roleSessionName)
                .build();

        StsClient stsClient = StsClient.builder().region(Region.US_EAST_1).build();

        return StsAssumeRoleCredentialsProvider
                .builder()
                .stsClient(stsClient).refreshRequest(assumeRoleRequest)
                .asyncCredentialUpdateEnabled(true)
                .build();

    }

All 2 comments

Figured it out on my own...

   public AWSFileProvider(String roleName, String bucketName) {
        this.bucketName = bucketName;
        String roleSessionName = "WBCSession-" + Thread.currentThread().getId();
        AwsCredentialsProvider awsCredentialsProvider = roleCredentialsProvider(roleName,roleSessionName);

        this.client = S3Client.builder()
                .region(Region.US_EAST_1)
                .credentialsProvider(awsCredentialsProvider)
                .build();

     }

    private AwsCredentialsProvider roleCredentialsProvider(String roleArn, String roleSessionName) {
        AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
                .roleArn(roleArn)
                .roleSessionName(roleSessionName)
                .build();

        StsClient stsClient = StsClient.builder().region(Region.US_EAST_1).build();

        return StsAssumeRoleCredentialsProvider
                .builder()
                .stsClient(stsClient).refreshRequest(assumeRoleRequest)
                .asyncCredentialUpdateEnabled(true)
                .build();

    }

thank you for posting! this is a big help.

Was this page helpful?
0 / 5 - 0 ratings