- Newest
- Most votes
- Most comments
Yes, you need some way to authenticate. The error message means that the AWS SDK tries to obtain credentials from your environment variables, credentials file, EC2 instance metadata service, and a few other "providers" as worded in the error message, only to find no credentials in any of them.
You'll need to use some way for your on-premises-hosted application to authenticate to AWS. Technically the simplest way is to create an IAM user and an access key for it, as you were thinking. If you use this approach, I'd advise attaching an IAM policy to the user with an explicit Deny statement for requests not arriving via your VPC endpoint or the internet-facing IPs of your on-premises network. Access keys are essentially just username/password combinations, so without source network restrictions, anyone who would get a hold of your key could access your systems or data from anywhere on the public internet.
More secure options would include IAM Roles Anywhere (https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/) based on a private certificate infrastructure, or an identity federation between an identity provider you can use on premises and AWS IAM. However, these are substantially more complex to implement and their applicability depends on factors such as whether you have an internal certificate infrastructure available.
Below is an example policy that you can use to block the IAM user from making requests, unless they arrive via a VPC endpoint in the VPC with the specified ID, or over the internet (not via a VPC endpoint) from the specified public IP addresses. You'll need to fill in the ID of the VPC where your endpoint resides and your public on-premises IPs. You can remove the NotIpAddressIfExists condition check entirely if all access is going to happen through the VPC endpoint.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllAccessExceptFromPermittedNetworkOrigins",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceVpc": [
"vpc-01234567890123456"
]
},
"NotIpAddressIfExists": {
"aws:SourceIp": [
"111.22.33.44/32",
"222.33.44.55/32"
]
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
}
}
}
]
}
Hello
**Verify Credential Configuration: **
Check Default Chain: Review the default credential provider chain used by the AWS SDK for Java https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html. This chain searches for credentials in environment variables, system properties, and credential profile files. Make sure you haven't accidentally disabled the default chain.
**Access Keys and Permissions: **
- IAM User Existence: Ensure you've created an IAM user specifically for your on-premises server application.
- Permissions Attached: Verify that the IAM user has a policy attached granting the necessary permissions to upload objects to your S3 bucket. You can use IAM policies like "AmazonS3FullAccess" or create a custom policy with specific actions.
Credential Provision on Server:
- Environment Variables: Double-check that the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set correctly on your on-premises server if you're using this method.
- Credential Profiles File: If you're using a credential profile file (~/.aws/credentials), ensure the file exists, has the correct profile name, and contains your access key ID and secret access key in the appropriate format. Here's an example format:
[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
For More please follow the links:
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
Relevant content
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 days ago
