At Amazon Web Services (AWS), we’re focused on finding ways to improve our products and provide a better customer experience. To do that, we need your feedback. Please take 5 minutes of your time to share insights regarding your experience with Java Spring and your need for Spring integration with AWS.
Click here to take a quick survey
This survey is hosted by an external company (Qualtrics), so the link above does not
lead to our
website. Please note that AWS will own the data gathered via this survey, and will
not share the
information/results collected with survey respondents. AWS handles your information
as described
in the AWS Privacy Notice
Using credentials
To make requests to Amazon Web Services using the AWS SDK for Java, you must use cryptographically-signed credentials issued by AWS. You can use programmatic access keys or temporary security credentials such AWS SSO or IAM roles to grant access to AWS resources.
For information on setting up credentials, see Set default credentials and Region and Set up credentials profiles.
Topics
Use the default credential provider chain
After you Set default credentials and Region for your environment, the AWS SDK for Java will automatically use those
credentials when your application makes requests to AWS. The default credential provider
chain,
implemented by the
DefaultCredentialsProvider
To use the default credential provider chain to supply credentials in your application, create a service client builder without specifying credentials provider configuration.
Region region = Region.US_WEST_2; DynamoDbClient ddb = DynamoDbClient.builder() .region(region) .build();
Credential retrieval order
The default credential provider chain of the AWS SDK for Java 2.x searches for credentials in your environment using a predefined sequence.
Default credential provider chain
-
Java system properties
-
The SDK uses the SystemPropertyCredentialsProvider
class to load credentials from the aws.accessKeyId
andaws.secretKey
Java system properties. Ifaws.sessionToken
is also specified, the SDK will use temporary credentials.Note For information on how to set Java system properties, see the System Properties
tutorial on the official Java Tutorials website.
-
-
Environment variables
-
The SDK uses the EnvironmentVariableCredentialsProvider
class to load credentials from the AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
system environment variables. IfAWS_SESSION_TOKEN
is also specified, the SDK will use temporary credentials.
-
-
Web identity token from AWS STS
-
The SDK uses the WebIdentityTokenFileCredentialsProvider
class to load credentials from Java system properties or environment variables.
-
-
The shared
credentials
andconfig
files-
The SDK uses the ProfileCredentialsProvider
to load credentials from the [default]
credentials profile in the sharedcredentials
andconfig
files.
Note The
credentials
andconfig
files are shared by various AWS SDKs and Tools. For more information, see The .aws/credentials and .aws/config files in the AWS SDKs and Tools Reference Guide. -
-
Amazon ECS container credentials
-
The SDK uses the ContainerCredentialsProvider
class to load credentials from the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
system environment variable.
-
-
Amazon EC2 instance profile credentials
-
The SDK uses the InstanceProfileCredentialsProvider
class to load credentials from the Amazon EC2 metadata service.
-
Use a specific credentials provider or provider chain
Alternatively, you can specify which credentials provider the SDK should use. For
example, if you
set your default credentials using environment variables, supply an
EnvironmentVariableCredentialsProvidercredentialsProvider
method on the service client builder, as in the
following code snippet.
Region region = Region.US_WEST_2; DynamoDbClient ddb = DynamoDbClient.builder() .region(region) .credentialsProvider(EnvironmentVariableCredentialsProvider.create()) .build();
For a complete list of credential providers and provider chains, see All Known Implementing
Classes in AwsCredentialsProvider
You can use your own credential provider or provider chains by implementing the
AwsCredentialsProvider
interface.
Use credentials profiles
Using the shared credentials
file, you can set up custom profiles which enables you to use
multiple sets of credentials in your application. The [default]
profile was mentioned above.
The SDK uses the
ProfileCredentialsProvidercredentials
file.
For information on how to set up custom profiles, see Set up credentials profiles.
This code snippet demonstrates how to build a service client that uses the credentials
defined as
part of the profile_name
profile.
Region region = Region.US_WEST_2; DynamoDbClient ddb = DynamoDbClient.builder() .region(region) .credentialsProvider(ProfileCredentialsProvider.create("profile_name")) .build();
Set a custom profile as the default
To set a profile other than the [default]
profile as the default for your application, set
the AWS_PROFILE
environment variable to the name of your custom profile.
To set this variable on Linux, macOS, or Unix, use export
:
export AWS_PROFILE="other_profile"
To set these variables on Windows, use set
:
set AWS_PROFILE="other_profile"
Alternatively, set the aws.profile
Java system property to the name of the profile.
Supply credentials explicitly
If the default credential chain or a specific or custom provider or provider chain doesn’t work for your application, you can supply the credentials that you want directly in code. These can be AWS account credentials, IAM credentials, or temporary credentials retrieved from AWS Security Token Service (AWS STS). If you’ve retrieved temporary credentials using AWS STS, use this method to specify the credentials for AWS access.
For security, use IAM account credentials instead of the AWS account credentials when accessing AWS. For more information, see AWS Security Credentials in the Amazon Web Services General Reference.
To explicitly supply credentials to an AWS client
-
Instantiate a class that provides the AwsCredentials
interface, such as AwsSessionCredentials . Supply it with the AWS access key and secret key to use for the connection. -
Create a StaticCredentialsProvider
object and supply it with the AwsCredentials
object. -
Configure the service client builder with the
StaticCredentialsProvider
and build the client.
The following example creates a new service client using credentials that you supply:
AwsBasicCredentials awsCreds = AwsBasicCredentials.create( "your_access_key_id", "your_secret_access_key"); S3Client s3 = S3Client.builder() .credentialsProvider(StaticCredentialsProvider.create(awsCreds)) .build();