Aws-sdk-java: assumeRoleWithWebIdentity throws "Unable to load AWS credentials"
The documentation for assumeRoleWithWebIdentity states "Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials", since this is the API that returns credentials. However, if I don't provide credentials I get an exception. If I provide bogus credentials, then the call succeeds.
SDK Version: 1.11.563
JRE Version: 1.8.0_191
// If I uncomment this it works.
// System.setProperty("aws.accessKeyId", "foo");
// System.setProperty("aws.secretKey", "bar");
AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()
.withRoleArn(props.getProperty("roleArn"))
.withWebIdentityToken(props.getProperty("token"))
.withRoleSessionName(props.getProperty("roleSessionName"));
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(Regions.US_WEST_2).build();
AssumeRoleWithWebIdentityResult result = client.assumeRoleWithWebIdentity(request);
Exception in thread "main" com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@2a3b5b47: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@a1153bc: Unable to load credentials from service endpoint]
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1225)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:801)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:751)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1389)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1356)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1345)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithWebIdentity(AWSSecurityTokenServiceClient.java:897)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithWebIdentity(AWSSecurityTokenServiceClient.java:868)
at Main.main(Main.java:29)
guidance
jkoskela
All 2 comments
Hi @jkoskela, as you discovered, the SDK always requires some AWSCredentialsProvider at construction time. For your use case, where STS doesn't require any credentials, you can use an instance of AnonymousCredentials:
AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()))
.build();
dagnir
on 4 Jun 2019
👍2
🚀1
❤1
Going to go ahead and close this. Please feel free to reopen if you have further questions.
dagnir
on 4 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
Yeggstry
路
3Comments
pagil
路
4Comments
jutley
路
4Comments
rdifalco
路
5Comments
cvmocanu
路
5Comments
Most helpful comment
Hi @jkoskela, as you discovered, the SDK always requires some
AWSCredentialsProviderat construction time. For your use case, where STS doesn't require any credentials, you can use an instance ofAnonymousCredentials: