Looking for an example for using role-based access to S3 files. I have the role defined and would be using it from java spring boot service running in K8S.
Would like code example like https://github.com/isuftin/s3-access-example/blob/master/src/main/java/gov/usgs/cida/aws/AwsS3AccessUtil.java only using the AWS SDK V2.
Not sure which CredentialProvider to use, STSAssumeRoleCredentialsProvider? Also not sure how to create the initial StsClient? Is InstanceProfileCredentialProvider the right one to use? I'
Latest attempt is returning 403's.
public AWSFileProvider(String roleName, String bucketName) {
this.bucketName = bucketName;
String roleSessionName = "WBCSession-" + Thread.currentThread().getId();
AwsCredentialsProvider awsCredentialsProvider = roleCredentialsProvider(roleName,roleSessionName);
this.client = S3Client.builder()
.region(Region.US_EAST_1)
.credentialsProvider(awsCredentialsProvider)
.build();
}
private StsAssumeRoleCredentialsProvider roleCredentialsProvider(String roleArn, String roleSessionName) {
InstanceProfileCredentialsProvider instanceProfileCredentialsProvider = InstanceProfileCredentialsProvider.create();
StsClient stsClient = StsClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(instanceProfileCredentialsProvider).build();
AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
return StsAssumeRoleCredentialsProvider.builder()
.refreshRequest(assumeRoleRequest)
.stsClient(stsClient)
.build();
}
We also have a podAnnotation in our helm charts (used by K8S)
podAnnotations:
iam.amazonaws.com/role: wbc-s3-allow-assume
SDK2, Java 11, compiling on Linux based Jenkins, deploying to AWS K8S environment (EKS)
Figured it out on my own...
public AWSFileProvider(String roleName, String bucketName) {
this.bucketName = bucketName;
String roleSessionName = "WBCSession-" + Thread.currentThread().getId();
AwsCredentialsProvider awsCredentialsProvider = roleCredentialsProvider(roleName,roleSessionName);
this.client = S3Client.builder()
.region(Region.US_EAST_1)
.credentialsProvider(awsCredentialsProvider)
.build();
}
private AwsCredentialsProvider roleCredentialsProvider(String roleArn, String roleSessionName) {
AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
StsClient stsClient = StsClient.builder().region(Region.US_EAST_1).build();
return StsAssumeRoleCredentialsProvider
.builder()
.stsClient(stsClient).refreshRequest(assumeRoleRequest)
.asyncCredentialUpdateEnabled(true)
.build();
}
thank you for posting! this is a big help.
Most helpful comment
Figured it out on my own...