Authenticate AWS credentials without secret key and access key using AWS SDK for Java

0

Hi I'm authenticating the credentials using secret key and access key like below. AWSCredentials awsCredential = new BasicAWSCredentials(accessKey, secretKey);

But I do not want to use accesskey and secretkey to authenticate. How can I authenticate the credentials without accesskey and secretkey.

2 Answers
1

Hello.

Where are Java SDK programs running?
In cases such as EC2, it is possible to use IAM roles instead of access keys.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

If you are using a local PC or an on-premises server, you will need an access key, so you will need to set it using environment variables, etc.
Use access keys when matching your workloads where you cannot use the IAM roles described in the documentation below.
However, when using access keys, I recommend that you limit your IAM policy to the minimum necessary operations.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials

Workloads that cannot use IAM roles – You might run a workload from a location that needs to access AWS. In some situations, you can't use IAM roles to provide temporary credentials, such as for WordPress plugins. In these situations, use IAM user long-term access keys for that workload to authenticate to AWS.

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • Hi, I agree with Riku: if your programs don't run on AWS in EC2, ECS, etc, and leverage execution role, ou will always need a pair (access key, secret key) minimally authorized to endorse the IAM role to which you give the service credentials.

  • Hi, I tried using Iam role. AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(new DefaultAWSCredentialsProviderChain()) .withRegion(Regions.US_WEST_2) .build(); String roleArn = "arn:aws:iam::accountid:role/ec2Role"; String roleSessionName = "newSession"; AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest() .withRoleArn(roleArn) .withRoleSessionName(roleSessionName); AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);

    But I'm getting exception saying unable to load credentials from environmental variables. But without user providing access token and secret key, how can I access using only session token? Is it possible?

1

Hi,

See my comment in Riku's answer for the requirement about a pair (access_key, secret_key) as soon as your programs run outside an AWS service.

But, maybe your question is slightly different: you want to not have to hard-code your credentials in your code (and not even mention them in case they run inside and outside of AWS). For this purpose, the AWS Java SDK has a default credential chain that you can leverage.

See for all details: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html

I personally always use the standard environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to avoid any presence of code related to this pair in my code. It's much cleaner if you need to run same code inside an AWS service and outside of it (from your laptop or an on-premise server for example)

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions