access AWS S3 from java using IAM Role

Question

We have the application hosted locally not on EC2. Is it possible to access the AWS S3 using the IAM Role instead of profile or credentials from java? The security team has raised concern about storing the credentials locally as it is vulnerable.

As far as I have googled, I have found options to access using Credentials stored in Environment or in .aws as a profile. If we need ROLE based authentication, then the application is supposed to be deployed in EC2. But we have the server hosted locally. Please provide if you have any suggestions.

Answer 1

We have the application hosted locally not on EC2. Is it possible to access the AWS S3 using the IAM Role instead of profile or credentials from java?

Service-roles are bound to AWS services, so - long story short - for your on-premise server you need to use AWS API keys.

The security team has raised concern about storing the credentials locally as it is vulnerable.

Unfortunatelly - at the end you need to store the credentials somewhere. Even using services such as Cognito or STS you will need to store the credentials for the service somewhere (effectively - for any external or cloud service regardless what cloud or service you may use).

IMHO the best you can do is using dedicated AWS credentials (API keys) with only permission what are really needed.

Answer 2

I'm not sure I understand what you want to do, but why not assign a dedicated user to that role?

Another thing you might find useful, is using temporary credentials. In general, Amazon have two services for this - Cognito and STS (as far as I understand, Cognito is using STS behind the scenes). They have different limitations, but in general, they allow you to receive credentials for limited time. This way, you will get an access id, a secret (and also a session id), but they will be temporary.