- Newest
- Most votes
- Most comments
It's not quite clear from your question what you're trying to solve: Is this a cross-account issue; or is it a credentials issue; or is it something else. So I'm going to answer this with a bunch of general things that might help.
First, the instance metadata service gives out a bunch of things including (important for this discussion) some access/secret keys. These are rotated periodically (also important). When you're using the AWS SDK it automagically retrieves those credentials for you (nice!) and also handles refreshing the in-memory credentials when the ones that were previously retrieved expire.
Why the background? Because if you're using another third-party library it is up to that library to do much the same thing. If it doesn't then you could have a situation where your code works for a while and then it doesn't. Restart it, and it works again - for a while.
Note that you can retrieve this "manually" (in your own code) if you choose - but having other libraries do it for you is much easier.
Second, cross-account access is a little more complex. The instance/container role has to have permissions to assume a role in the other account (actually, it has to have permissions on both sides). You do that by calling the STS service with your current credentials. The credentials given back are "new" and apply to your permissions in the other account; and also expire periodically - so you have to refresh those as well.
So, to get your code working you need to:
- Have a working set of "local" (i.e. in your current account) credentials
- Ensure that you refresh them periodically (assuming they come from the instance metadata)
- Use STS to assume a role in the "other" account and get some appropriate credentials
- Ensure that you refresh those credentials periodically
- Use the "other" account credentials to call SQS
I'm not sure if this is entirely helpful or whether you know this already; but it's the best I can do because there are no error messages, logs or anything else to go on.
Relevant content
- asked 6 months ago
- asked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 7 months ago
Thanks for pitching in Brett.
Rather confusing so much let me ask a simple Question. How to continuously poll messages from SQS using Spring Boot and AWS SDK 2.x