CODEWITHSUNDEEP
amazon-web-servicesspring-bootamazon-s3aws-sts
Bunny
Bunny

Reputation: 139

How to use DefaultAWSCredentialsProviderChain() in java code to fetch credentials from instance profile and allow access to s3 bucket

I am working on a requirement where i want to connect to s3 bucket using springboot application. When i am connecting through my local environment i am using seeting loadCredentials(true) which uses Amazon STS which fetches the temperoriy credentials using a role and allow access to s3 bucket.

When i am deploying to the qa/prd envirment i am setting loadCredentials(false) which uses DefaultAWSCredentialsProviderChain() class to fetch the credential from aws instance profile(role is assigned to ec2 instance) and allow access to s3 bucket. My code is

 @Configuration
   public class AmazonS3Config
   { 
static String clientRegion = "ap-south-1";
static String roleARN = "arn:aws:iam::*************:role/awss3acess";
static String roleSessionName = "bucket_storage_audit";
String bucketName = "testbucket";

//Depending on environment is set to true(for local environment) or false(for qa and prd environment)
private static AWSCredentialsProvider loadCredentials(boolean isLocal) {
    final AWSCredentialsProvider credentialsProvider;
    if (isLocal) {
        AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard()
                .withCredentials(new ProfileCredentialsProvider())
                .withRegion(clientRegion)
                .build();

        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600)
                .withRoleArn(roleARN)
                .withRoleSessionName(roleSessionName);

        AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
        Credentials creds = assumeRoleResult.getCredentials();

        credentialsProvider = new AWSStaticCredentialsProvider(
                new BasicSessionCredentials(creds.getAccessKeyId(),
                        creds.getSecretAccessKey(),
                        creds.getSessionToken())
        );
    } else {
        
        System.out.println("inside default");
        credentialsProvider = new DefaultAWSCredentialsProviderChain();
    }

    return credentialsProvider;
}

// Amazon s3client Bean return an instance of s3client . @Bean public AmazonS3 s3client() {

  AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
              .withRegion(Regions.fromName(clientRegion))
                          .withCredentials(loadCredentials(false))
                          .build();
  
  return s3Client;
}
}

My question since the credentials of instance profile rotate after every 12 hours my application will fail after 12 hours. What will i do to avoid this from happening in my code.

Upvotes: 1

Views: 11700

Answers (1)

stacker
stacker

Reputation: 4475

You can directly use ProfileCredentialsProvider instead of DefaultAWSCredentialsProviderChain as there is no need in your case to chain the credsproviders.

and about your question, AWSCredentialsProvider has refresh() method that will reread the config file.when an Authentication exception Occurs while using S3Client you can retry again and call refresh() first.

Upvotes: 0

Related Questions