Supply temporary credentials in code
If the default credential chain or a specific or custom provider or provider chain doesn't work for your application, you can supply temporary credentials directly in code. These can be IAM role credentials as described above or temporary credentials retrieved from AWS Security Token Service (AWS STS). If you retrieved temporary credentials using AWS STS, provide them to an AWS service client as shown in the following code example.
-
Assume a role by calling
StsClient.assumeRole(). -
Create a StaticCredentialsProvider
object and supply it with the AwsSessionCredentialsobject. -
Configure the service client builder with the
StaticCredentialsProviderand build the client.
The following example creates an Amazon S3 service client using temporary credentials returned by AWS STS for an IAM assumed role.
// The AWS IAM Identity Center identity (user) who executes this method does not have permission to list buckets. // The identity is configured in the [default] profile. public static void assumeRole(String roleArn, String roleSessionName) { // The IAM role represented by the 'roleArn' parameter can be assumed by identities in two different accounts // and the role permits the user to only list buckets. // The SDK's default credentials provider chain will find the single sign-on settings in the [default] profile. // The identity configured with the [default] profile needs permission to call AssumeRole on the STS service. try { Credentials tempRoleCredentials; try (StsClient stsClient = StsClient.create()) { AssumeRoleRequest roleRequest = AssumeRoleRequest.builder() .roleArn(roleArn) .roleSessionName(roleSessionName) .build(); AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest); tempRoleCredentials = roleResponse.credentials(); } // Use the following temporary credential items for the S3 client. String key = tempRoleCredentials.accessKeyId(); String secKey = tempRoleCredentials.secretAccessKey(); String secToken = tempRoleCredentials.sessionToken(); // List all buckets in the account associated with the assumed role // by using the temporary credentials retrieved by invoking stsClient.assumeRole(). StaticCredentialsProvider staticCredentialsProvider = StaticCredentialsProvider.create( AwsSessionCredentials.create(key, secKey, secToken)); try (S3Client s3 = S3Client.builder() .credentialsProvider(staticCredentialsProvider) .build()) { List<Bucket> buckets = s3.listBuckets().buckets(); for (Bucket bucket : buckets) { System.out.println("bucket name: " + bucket.name()); } } } catch (StsException | S3Exception e) { logger.error(e.getMessage()); System.exit(1); } }
The following permission set defined in AWS IAM Identity Center allows the identity (user) to perform the following two operations
-
The
GetObjectoperation of the Amazon Simple Storage Service. -
The
AssumeRoleoperation of the AWS Security Token Service.
Without assuming the role, the s3.listBuckets() method shown in the
example would fail.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "sts:AssumeRole" ], "Resource": [ "*" ] } ] }
Assumed role permissions policy
The following permissions policy is attached to the role that is assume in the previous example. This permissions polilcy permits the ability to list all buckets in the same account as the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "*" ] } ] }
Assumed role trust policy
The following trust policy is attached to the role that is assume in the previous example. The policy allows the role to be assumed by identities (users) in two accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::555555555555:root" ] }, "Action": "sts:AssumeRole", "Condition": {} } ] }
