By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SQS Listener not working Profile based authentication

0

Folks,

Now that it’s getting annoying us and getting out of our hands , seeking help from experts here.

In our firm, I am working on Spring boot/AWS cloud native application, where there is only profile based authentication ( no ACCESS KEY/SECRET KEY ) in place when we use AWS SDK 2.x Java libraries.

AWS S3 client is easily authenticating itself when I attach ProfileCredentialProvider instance.

We have a use case where we are in need of SQS listener that needs to consumer messages from queue which is not working.

Our set up : AWS EKS cluster is running in an account where our application is hosted. Our AWS application specific resources are hosted in separate account. Cross account roles are set up but Spring boot SQS listener is not able to authenticate itself since we are not provided with access key and secret key.

AwsS3Client and AWSSQSClient are individually able to authenticate itself using ProfileCredentialsProvider.create()

How to establish authentication for the SQS listener while it tries to talk to cross account ?

@SQSListener(value=“queuename/absoluteurl”) does not work here

Or advise what is the best way to poll messages continuously from SQS with only profile based authentication in place

Topics
ServerlessApplication Integration
Tags
Amazon Simple Queue ServiceAmazon Simple Notification Service (SNS)
Language
English
Ragavi M
asked 2 years ago1275 views
1 Answer
1

It's not quite clear from your question what you're trying to solve: Is this a cross-account issue; or is it a credentials issue; or is it something else. So I'm going to answer this with a bunch of general things that might help.

First, the instance metadata service gives out a bunch of things including (important for this discussion) some access/secret keys. These are rotated periodically (also important). When you're using the AWS SDK it automagically retrieves those credentials for you (nice!) and also handles refreshing the in-memory credentials when the ones that were previously retrieved expire.

Why the background? Because if you're using another third-party library it is up to that library to do much the same thing. If it doesn't then you could have a situation where your code works for a while and then it doesn't. Restart it, and it works again - for a while.

Note that you can retrieve this "manually" (in your own code) if you choose - but having other libraries do it for you is much easier.

Second, cross-account access is a little more complex. The instance/container role has to have permissions to assume a role in the other account (actually, it has to have permissions on both sides). You do that by calling the STS service with your current credentials. The credentials given back are "new" and apply to your permissions in the other account; and also expire periodically - so you have to refresh those as well.

So, to get your code working you need to:

  • Have a working set of "local" (i.e. in your current account) credentials
  • Ensure that you refresh them periodically (assuming they come from the instance metadata)
  • Use STS to assume a role in the "other" account and get some appropriate credentials
  • Ensure that you refresh those credentials periodically
  • Use the "other" account credentials to call SQS

I'm not sure if this is entirely helpful or whether you know this already; but it's the best I can do because there are no error messages, logs or anything else to go on.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • Ragavi M
    2 years ago

    Thanks for pitching in Brett.

    Rather confusing so much let me ask a simple Question. How to continuously poll messages from SQS using Spring Boot and AWS SDK 2.x

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content