CODEWITHSUNDEEP
javaamazon-web-servicesamazon-iam
letsStudyJava
letsStudyJava

Reputation: 169

how to make local machine to assume IAM role

What I have

  1. an IAM user
  2. an IAM role with s3,sqs permissions
  3. a spring-boot rest
  4. web service utilising aws resources service authenticating aws role-based ( no keys provided )

What I want

  1. run the application locally
  2. some way to make the local machine to assume desired IAM role

Aws Resource initialisation

AmazonS3 amazonS3Client = AmazonS3ClientBuilder.standard()
                .withCredentials(new EC2ContainerCredentialsProviderWrapper())
                .withRegion(Regions.DEFAULT_REGION)
                .withForceGlobalBucketAccessEnabled(true)
                .build();

AmazonSQS amazonSQSClient = amazonSQSClient = AmazonSQSClientBuilder.standard()
                .withCredentials(new EC2ContainerCredentialsProviderWrapper())
                .withRegion(Region.getRegion(regions).getName())
                .build();

now when I run application and make calls obviously the AWS access is denied

I dint find any tutorial , where I can make certain configs on local machine and assume the desired role on local machine.

Upvotes: 1

Views: 4337

Answers (1)

rdas
rdas

Reputation: 21275

We have had this issue quite a lot. But your case is simpler since you're using the DefaultCredentialProviderChain. The chain searches for credentials in environment, and then IAM (in that order I think).

My suggestion would be to forget about mocking IAM, mock the services instead. Set some dummy credentials in the environment so that the provider chain uses those instead of trying to use IAM.

For S3: https://github.com/adobe/S3Mock

For SQS: https://github.com/MeteoGroup/sqsmock

Now if you're absolutely determined to mock IAM, Check out this: https://github.com/NYTimes/mock-ec2-metadata

Be warned, the setup for that is not worth what you get out of it. YMMV

You may also be interested in: https://github.com/localstack/localstack

But I haven't used that one (yet).

EDIT: Why is mocking IAM hard? Because the iam credentials come from the metadata endpoint, which is http://169.254.168.254. So to mock IAM, you have to mock the metadata endpoint. And that usually involves an iptables hack of some sort.

Upvotes: 2

Related Questions