Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Making Requests Using IAM User Temporary Credentials - AWS SDK for Java

An IAM user or an AWS Account can request temporary security credentials (see Making Requests) using AWS SDK for Java and use them to access Amazon S3. These credentials expire after the session duration. By default, the session duration is one hour. If you use IAM user credentials, you can specify duration, between 1 and 36 hours, when requesting the temporary security credentials.

Making Requests Using IAM User Temporary Security Credentials

1

Create an instance of the AWS Security Token Service client AWSSecurityTokenServiceClient.

2

Start a session by calling the GetSessionToken method of the STS client you created in the preceding step. You provide session information to this method using a GetSessionTokenRequest object.

The method returns your temporary security credentials.

3

Package the temporary security credentials in an instance of the BasicSessionCredentials object so you can provide the credentials to your Amazon S3 client.

4

Create an instance of the AmazonS3Client class by passing in the temporary security credentials.

You send the requests to Amazon S3 using this client. If you send requests using expired credentials, Amazon S3 returns an error.


The following Java code sample demonstrates the preceding tasks.

// In real applications, the following code is part of your trusted code. It has 
// your security credentials you use to obtain temporary security credentials.
AWSSecurityTokenServiceClient stsClient = 
                        new AWSSecurityTokenServiceClient(new ProfileCredentialsProvider());
        
//
// Manually start a session.
GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest();
// Following duration can be set only if temporary credentials are requested by an IAM user.
getSessionTokenRequest.setDurationSeconds(7200); 

GetSessionTokenResult sessionTokenResult = 
                           stsClient.getSessionToken(getSessionTokenRequest);
Credentials sessionCredentials = sessionTokenResult.getCredentials();
  
// Package the temporary security credentials as 
// a BasicSessionCredentials object, for an Amazon S3 client object to use.
BasicSessionCredentials basicSessionCredentials = 
               new BasicSessionCredentials(sessionCredentials.getAccessKeyId(), 
        		                           sessionCredentials.getSecretAccessKey(), 
        		                            sessionCredentials.getSessionToken());

// The following will be part of your less trusted code. You provide temporary security
// credentials so it can send authenticated requests to Amazon S3. 
// Create Amazon S3 client by passing in the basicSessionCredentials object.
AmazonS3Client s3 = new AmazonS3Client(basicSessionCredentials);
            
// Test. For example, get object keys in a bucket.
ObjectListing objects = s3.listObjects(bucketName);

Example

Note

If you obtain temporary security credentials using your AWS account credentials, the temporary security credentials are valid for only one hour. You can specify session duration only if you use IAM user credentials to request a session.

The following Java code example lists the object keys in the specified bucket. For illustration, the code example obtains temporary security credentials for a default one hour session and uses them to send an authenticated request to Amazon S3.

If you want to test the sample using IAM user credentials, you will need to create an IAM user under your AWS Account. For more information about how to create an IAM user, go to Set Up a Group, Grant Permissions, and Add Users in the IAM Getting Started Guide.

import java.io.IOException;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.PropertiesCredentials;
import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;
import com.amazonaws.services.securitytoken.model.GetSessionTokenResult;
import com.amazonaws.services.s3.model.ObjectListing;

public class S3Sample {
	private static String bucketName = "*** Provide bucket name ***";

    public static void main(String[] args) throws IOException {        
        AWSSecurityTokenServiceClient stsClient = 
                               new AWSSecurityTokenServiceClient(new ProfileCredentialsProvider());        
        //
        // Start a session.
        GetSessionTokenRequest getSessionTokenRequest = 
                                             new GetSessionTokenRequest();

        GetSessionTokenResult sessionTokenResult = 
                            stsClient.getSessionToken(getSessionTokenRequest);
        Credentials sessionCredentials = sessionTokenResult.getCredentials();
        System.out.println("Session Credentials: " 
                                               + sessionCredentials.toString());
  
        
        // Package the session credentials as a BasicSessionCredentials 
        // object for an S3 client object to use.
        BasicSessionCredentials basicSessionCredentials = 
             new BasicSessionCredentials(sessionCredentials.getAccessKeyId(), 
        		                         sessionCredentials.getSecretAccessKey(), 
        		                         sessionCredentials.getSessionToken());
        AmazonS3Client s3 = new AmazonS3Client(basicSessionCredentials);

        // Test. For example, get object keys for a given bucket. 
        ObjectListing objects = s3.listObjects(bucketName);
        System.out.println("No. of Objects = " + 
                                           objects.getObjectSummaries().size());
    }
}