CODEWITHSUNDEEP
javaspringamazon-iamamazon-sqsrefresh-token
suru
suru

Reputation: 11

how to auto-refresh AWS STS Temporary security credentials when it expires while accessing Amazon SQS?

I've spring boot app with QueueMessagingTemplate as client to access Amazon SQS using temporary security credentials(STS). Getting temp token using STS-AssumeRole . Can you help me how to refresh/auto-refresh session token when it expires?

Error: com.amazonaws.services.sqs.model.AmazonSQSException: The security token included in the request is expired

Here is the code:

@Configuration
@Slf4j
public class QueueConfig {

    @Bean
    public QueueMessagingTemplate queueMessagingTemplate(@Autowired BasicSessionCredentials sessionCredentials) {
            log.info("queueMessagingTemplate refresh");
            return new QueueMessagingTemplate(amazonSQSAsync(sessionCredentials));
    }

    @Bean
    @Primary
    public AmazonSQSAsync amazonSQSAsync(BasicSessionCredentials sessionCredentials) {
            return AmazonSQSAsyncClientBuilder
                    .standard()
                    .withRegion(Regions.US_WEST_1)
                    .withCredentials(new AWSStaticCredentialsProvider(sessionCredentials))
                    .build();
    }
}

Here is the code for AWS STS cred

@Configuration
@Slf4j
public class AwsRoleCredentials {

    @Bean(name = "sessionCredentials")
    public BasicSessionCredentials sessionCredentials(){
        try {
            String roleArn = "XXXX";
            String roleSessionName = "XXX";
            Region region = Region.US_WEST_1;

            StsClient stsClient = StsClient.builder()
                    .region(region)
                    .build();

            AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                    .roleArn(roleArn)
                    .roleSessionName(roleSessionName)
                    .build();

            AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
            Credentials myCreds = roleResponse.credentials();


            BasicSessionCredentials sessionCred = new BasicSessionCredentials(
                    myCreds.accessKeyId(),
                    myCreds.secretAccessKey(),
                    myCreds.sessionToken());
            return sessionCred;

        } catch (StsException e) {
            log.error("ERROR while get token:"+ e.getMessage());
        }
        return null;
    }
}

Upvotes: 1

Views: 5922

Answers (1)

paranoidAndroid
paranoidAndroid

Reputation: 583

I was just about to implement it myself and then i found that in version 2 of the sdk its already there, you can use StsAssumeRoleCredentialsProvider which takes care of refreshing the token when it is about to expire. I don't know if there is something equivalent in the old SDK.

But you can implement it pretty easily for the older SDK as well, just store the expiry and make another assumeRole request when it's about to expire

Edit- I was confused because you use the v1 sdk for SQS but you do use the V2 SDK for STS, so you can simply use StsAssumeRoleCredentialsProvider instead. Also, I suggest using either V1 or V2, but not both

Upvotes: 2

Related Questions