S3 integration using IAM key and secret works with AWS .NET libraries but fails with AWS Java 2 libraries. What am I missing here?

[ymeric]

I have two solutions, one built using .NET Core 6 and AWSSDK.3 and AWSSDK.SecurityToken Nugets, the other built using AWS S3 and AWS STS Maven packages for AWS Java SDK 2.x. Both apps are running on prem, first one on Windows, the other running on Linux container. Here are the two lines of code (excluding the library references) that gets assumes the role that I need and auto refreshes the expired token in .NET Core:

using Amazon.Runtime;
using Amazon.S3;
using Amazon.S3.Model;

.. that part of the code is omitted because they are unrelated

awsCredentials = new AssumeRoleAWSCredentials(new BasicAWSCredentials(_awsKey, _awsSecret), _awsRoleARN, sessionName);
using AmazonS3Client s3Client = new(awsCredentials, Amazon.RegionEndpoint.USEast1);

The following calls to get or put objects to S3 works perfectly fine. No need for anything else but the IAM key and secret.

In Java on the other hand, the only way to make S3 integration work is to use the AWS CLI tool to get a token or run the code in AWS. I tried any and all sample codes I could find from Amazon and elsewhere but couldn't figure out to implement the NET Core equivalent solution where I would only need the IAM key and secret and wouldn't bother for token expiration.

Here is the last version of my code which complains about the token being expired because it ignores the IAM key and secret and looks for the token in the .aws\credentials file. Is there a way to have the simplicity in Java like the one provided by AWS for the NET core world? Again, my app is running on prem so the environment is not able to handle the AWS token handling.

import software.amazon.awssdk.auth.credentials.*;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import software.amazon.awssdk.services.sts.model.StsException;

.. that part of the code is omitted because they are unrelated

public S3Client getS3Client() {
	if (s3Client == null) {
		// This one relies on environmental security
		// s3Client =
		// S3Client.builder().credentialsProvider(DefaultCredentialsProvider.create()).build();

		String roleSessionName = UUID.randomUUID().toString();
		StsClient stsClient = StsClient.builder().region(Region.US_EAST_1).credentialsProvider(
				StaticCredentialsProvider.create(AwsBasicCredentials.create(awsAccessKeyId, awsSecretAccessKey)))
				.build();
		assumeGivenRole(stsClient, awsRoleArn, roleSessionName);
		stsClient.close();
	}
	return s3Client;
}

public void assumeGivenRole(StsClient stsClient, String roleArn, String roleSessionName) {
	try {
		AssumeRoleRequest roleRequest = AssumeRoleRequest.builder().roleArn(roleArn)
				.roleSessionName(roleSessionName).build();

		AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest); //Fails here complaining about expired token
		Credentials myCreds = roleResponse.credentials();
		String tokenInfo = myCreds.sessionToken();
	} catch (StsException e) {
		logger.error(e.getMessage());
	}
}

[ymeric]

Turns out my debugging setup was incomplete. Here is how I resolved the issue:

1. Provided the AWS IAM key and secret as VM arguments in the debug configuration of the Eclipse UI:

-Dspring.profiles.active=local -Daws.region={myRegion} -Daws.accessKeyId={IAMKey} -Daws.secretAccessKey={IAMSecret}

2. Set the role ARN as an application.properties setting.
3. Updated my factory as follows. The refreshToken() method is for refreshing the token before it expires, if needed.

import java.util.UUID;

import javax.annotation.PostConstruct;

import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import com.somepackage.IAWSFactory;

import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;

@service
public class AWSFactory implements IAWSFactory {
private static final org.slf4j.Logger logger = LoggerFactory.getLogger(AWSFactory.class);

@Value("${s3.roleArn}")
private String awsRoleArn;

private S3Client s3Client;

private StsClient stsClient = StsClient.builder()
		.credentialsProvider(DefaultCredentialsProvider.create()).build();

public AWSFactory() {
}

@PostConstruct
private void Init() {
	getS3Client();
}

public S3Client refreshToken() {
	s3Client = null;
	return getS3Client();
}

public S3Client getS3Client() {
	if (s3Client == null) {
		try {
			String roleSessionName = UUID.randomUUID().toString();
			StsAssumeRoleCredentialsProvider credentialProvider = StsAssumeRoleCredentialsProvider.builder()
					.stsClient(stsClient).refreshRequest(() -> AssumeRoleRequest.builder().roleArn(awsRoleArn)
							.roleSessionName(roleSessionName).build())
					.build();
			s3Client = S3Client.builder()
					.credentialsProvider(credentialProvider).build();
		} catch (Exception ex) {
			logger.error("getS3Client request failed: {}", ex.getMessage());
		}
	}
	return s3Client;
}

}