- Newest
- Most votes
- Most comments
Hey, Thank you for posting the question.
I would start by making sure that the credential process is able to fetch temporary credentials. One way to track whats happening is via searching for CreateSession
eventName in CloudTrail event history. It would look something like this:
{
"eventVersion": "1.08",
<...omitted...>
"eventSource": "rolesanywhere.amazonaws.com",
"eventName": "CreateSession",
"awsRegion": "ap-southeast-2",
<...omitted...>
"userAgent": "CredHelper/1.0.1 (go1.18; darwin; amd64)",
"requestParameters": {
"cert": "<...omitted...>=",
"durationSeconds": 3600,
"profileArn": "arn:aws:rolesanywhere:ap-southeast-2:123456789101:profile/<...omitted...>",
"roleArn": "arn:aws:iam::123456789101:role/RolesanywhereabacStack-onPremAppRole-<...omitted...>",
"trustAnchorArn": "arn:aws:rolesanywhere:ap-southeast-2:123456789101:trust-anchor/<...omitted...>"
},
"responseElements": {
"credentialSet": [
{
"assumedRoleUser": {
"arn": "arn:aws:sts::123456789101:assumed-role/RolesanywhereabacStack-onPremAppRole-1XU4T41ZS71V6/00a95e017de2212bb6ca21b3b0fe095a63",
"assumedRoleId": "<...omitted...>:<...omitted...>"
},
"credentials": {
"accessKeyId": "<...omitted...>",
"expiration": "2022-09-27T07:29:14Z",
"secretAccessKey": "HIDDEN_DUE_TO_SECURITY_REASONS",
"sessionToken": "<...omitted...>="
},
"packedPolicySize": 44,
"roleArn": "arn:aws:iam::123456789101:role/RolesanywhereabacStack-onPremAppRole-1XU4T41ZS71V6",
"sourceIdentity": "CN=User1"
}
],
"subjectArn": "arn:aws:rolesanywhere:ap-southeast-2:123456789101:subject/<...omitted...>",
"x509Subject": "CN=User1"
},
<...omitted...>
"recipientAccountId": "123456789101",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "rolesanywhere.ap-southeast-2.amazonaws.com"
}
}
Additionally, if you are looking to setup a proof-of-concept, we have published sample CDK app on Github that showcase how to use IAM role anywhere to fetch secrets from Secrets manager. Yours is a different use case but you may find helpful info around infrastructure and client side utility that setup AWS CLI for you:
When I run the credentials process manually by using ./aws_signing_helper ...., it fetches the credentials correctly. The question is, how to integrate IAM roles anywhere with the spring boot application.
Do this credential process set AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY variables? The spring boot apps are using these credentials to establish connection with AWS resources on the start up
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago