Spring-cloud-aws: Add ability to configure your own AWSCredentialsProvider

Created on 30 Sep 2015  路  12Comments  路  Source: spring-cloud/spring-cloud-aws

The Spring boot auto configuration will always register an AWSCredentialsProvider making it impossible to register your own.

Adding a conditional to ContextCredentialsAutoConfiguration

@ConditionalOnMissingBean(AWSCredentialsProvider.class)
@Configuration
@Import({ContextDefaultConfigurationRegistrar.class, ContextCredentialsAutoConfiguration.Registrar.class})
public class ContextCredentialsAutoConfiguration {

would allow for something like

    @Bean(name = {CredentialsProviderFactoryBean.CREDENTIALS_PROVIDER_BEAN_NAME, AmazonWebserviceClientConfigurationUtils.CREDENTIALS_PROVIDER_BEAN_NAME} )
    public static AWSCredentialsProviderChain credentialsProvider(Environment environment) {
        return new AWSCredentialsProviderChain(
                new EnvironmentVariableCredentialsProvider(),
                new SystemPropertiesCredentialsProvider(),
                new ProfileCredentialsProvider(),
                new InstanceProfileCredentialsProvider(),
                new StaticCredentialsProvider(new BasicAWSCredentials(environment.getProperty("cloud.aws.credentials.accessKey",""),
                        environment.getProperty("cloud.aws.credentials.secretKey",""))));
    }
core enhancement

Most helpful comment

I'm not one of the authors, @Qvazar - it seems that there's no way to avoid it registering a credentials provider factory in the bean registry with a certain name - but it _seems_ like you can at least get it to _not_ use that provider chain by making your own and marking it as @Primary

Try doing something like this:

    @Bean
    @Primary
    public AWSCredentialsProvider awsCredentialsProvider() {
        return new DefaultAWSCredentialsProviderChain();
    }

The DefaultAWSCredentialsProviderChain is pretty darn good. It has several providers it wraps and one of them is the EC2ConatinerCredentialsProviderWrapper that will should pull the credentials out for you...

(In #170 I have a patch that would make this thing use the DefaultAWSCredentialsProviderChain, but in the long term I really wonder if it wouldn't be better to remove all of this stuff altogether and have people either use the DefaultAWSCredentialsProviderChain or if they need a different one have them create their own @Bean)

All 12 comments

It also seems that the documentation is not in line with the behavior -

the documentation state at http://cloud.spring.io/spring-cloud-aws/spring-cloud-aws.html states:

"The com.amazonaws.auth.DefaultAWSCredentialsProviderChain is used by all the clients if there is no dedicated credentials provider defined."

The ContextCredentialsAutoConfiguration seems to always create its own credentials provider - but I really _do_ want the DefaultAWSCredentialsProviderChain

Bump.
I need to use ContainerCredentialsProvider inside an ECS container to get the IAM role credentials assigned to the container.
How would I do this currently with 1.1.1?

I'm not one of the authors, @Qvazar - it seems that there's no way to avoid it registering a credentials provider factory in the bean registry with a certain name - but it _seems_ like you can at least get it to _not_ use that provider chain by making your own and marking it as @Primary

Try doing something like this:

    @Bean
    @Primary
    public AWSCredentialsProvider awsCredentialsProvider() {
        return new DefaultAWSCredentialsProviderChain();
    }

The DefaultAWSCredentialsProviderChain is pretty darn good. It has several providers it wraps and one of them is the EC2ConatinerCredentialsProviderWrapper that will should pull the credentials out for you...

(In #170 I have a patch that would make this thing use the DefaultAWSCredentialsProviderChain, but in the long term I really wonder if it wouldn't be better to remove all of this stuff altogether and have people either use the DefaultAWSCredentialsProviderChain or if they need a different one have them create their own @Bean)

That seems to work great, thank you @ryangardner !

I also had to name the bean org.springframework.cloud.aws.core.credentials.CredentialsProviderFactoryBean#CREDENTIALS_PROVIDER_BEAN_NAME for mine take precedence.

Sincere request to maintainers @spencergibb to provide a way to allow to use custom awsCredentialsProvider, much more required with @Profile support for different work env

@rverma-nikiai this is a community maintained project, it is currently assigned to @aemruli

In case anyone still stumbles upon this and needs Default AWS chain, there is an option now to use it. Just set cloud.aws.credentials.useDefaultAwsCredentialsChain to true in your app properties.

See here: https://github.com/spring-cloud/spring-cloud-aws/blob/master/docs/src/main/asciidoc/spring-cloud-aws.adoc#configuring-credentials

Responding to the above comment - I had already set the above property and still needed to manually inject a @Primary default chain to get the default chain to be used.

Fixed in ee779018d38144d86a071ac708d48857b8328f37

You can provide custom credentials provider bean, it just has to have specific name:

@Bean(name = CredentialsProviderFactoryBean.CREDENTIALS_PROVIDER_BEAN_NAME)
AWSCredentialsProvider awsCredentialsProvider() {
    return mock(AWSCredentialsProvider.class);
}

Where CredentialsProviderFactoryBean.CREDENTIALS_PROVIDER_BEAN_NAME has value credentialsProvider.

I was unable to get this to work in auto-configuration without still resorting to @Primary as there seems to be a second credential provider created named org.springframework.cloud.aws.core.region.RegionProvider.BEAN_NAME.

Was this page helpful?
0 / 5 - 0 ratings