Using credential process for IAM Roles Anywhere in springboot application

Question

I have a use case where I need to access the SNS topic from outside AWS. We planned to use https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/ as it seem to be right fit

But I'm unable to get this working correctly. I followed the link exactly mentioned above where the contents of .aws/config file are

```
credential_process = ./aws_signing_helper credential-process
    --certificate /path/to/certificate.pem
    --private-key /path/to/private-key.pem
    --trust-anchor-arn 
    --profile-arn 
    --role-arn 
```

But my spring boot application throws an error stating that it could not fetch the credentials to connect to AWS. Kindly assist

Answer

When I run the credentials process manually by using ./aws_signing_helper ...., it fetches the credentials correctly. 
The question is, how to integrate IAM roles anywhere with the spring boot application.

Answer

Hey, Thank you for posting the question.

I would start by making sure that the credential process is able to fetch temporary credentials. One way to track whats happening is via searching for CreateSession eventName in CloudTrail event history. It would look something like this:

{
    "eventVersion": "1.08",
<...omitted...>
    "eventSource": "rolesanywhere.amazonaws.com",
    "eventName": "CreateSession",
    "awsRegion": "ap-southeast-2",
<...omitted...>
    "userAgent": "CredHelper/1.0.1 (go1.18; darwin; amd64)",
    "requestParameters": {
        "cert": "<...omitted...>=",
        "durationSeconds": 3600,
        "profileArn": "arn:aws:rolesanywhere:ap-southeast-2:123456789101:profile/<...omitted...>",
        "roleArn": "arn:aws:iam::123456789101:role/RolesanywhereabacStack-onPremAppRole-<...omitted...>",
        "trustAnchorArn": "arn:aws:rolesanywhere:ap-southeast-2:123456789101:trust-anchor/<...omitted...>"
    },
    "responseElements": {
        "credentialSet": [
            {
                "assumedRoleUser": {
                    "arn": "arn:aws:sts::123456789101:assumed-role/RolesanywhereabacStack-onPremAppRole-1XU4T41ZS71V6/00a95e017de2212bb6ca21b3b0fe095a63",
                    "assumedRoleId": "<...omitted...>:<...omitted...>"
                },
                "credentials": {
                    "accessKeyId": "<...omitted...>",
                    "expiration": "2022-09-27T07:29:14Z",
                    "secretAccessKey": "HIDDEN_DUE_TO_SECURITY_REASONS",
                    "sessionToken": "<...omitted...>="
                },
                "packedPolicySize": 44,
                "roleArn": "arn:aws:iam::123456789101:role/RolesanywhereabacStack-onPremAppRole-1XU4T41ZS71V6",
                "sourceIdentity": "CN=User1"
            }
        ],
        "subjectArn": "arn:aws:rolesanywhere:ap-southeast-2:123456789101:subject/<...omitted...>",
        "x509Subject": "CN=User1"
    },
<...omitted...>
    "recipientAccountId": "123456789101",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "rolesanywhere.ap-southeast-2.amazonaws.com"
    }
}

Additionally, if you are looking to setup a proof-of-concept, we have published sample CDK app on Github that showcase how to use IAM role anywhere to fetch secrets from Secrets manager. Yours is a different use case but you may find helpful info around infrastructure and client side utility that setup AWS CLI for you:

https://github.com/aws-samples/aws-secrets-manager-abac-authorization-samples#archetype-migrating-application-is-currently-on-premises

Answer

Do this credential process set AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY variables? The spring boot apps are using these credentials to establish connection with AWS resources on the start up

Using credential process for IAM Roles Anywhere in springboot application

Relevant content