Created
September 25, 2019 08:38
-
-
Save fortejas/b7dab7cd5cbd4312590a4d0e487e3f27 to your computer and use it in GitHub Desktop.
Sample - Accessing AWS Credentials from a container
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * This Java source file was generated by the Gradle 'init' task. | |
| */ | |
| package app; | |
| import java.util.List; | |
| import software.amazon.awssdk.services.s3.model.Bucket; | |
| import software.amazon.awssdk.services.s3.S3Client; | |
| import software.amazon.awssdk.services.sts.StsClient; | |
| import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; | |
| import software.amazon.awssdk.regions.Region; | |
| import software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider; | |
| import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider; | |
| import software.amazon.awssdk.core.exception.SdkClientException; | |
| public class App { | |
| // Set the Region to be use. This is using eu-west-1. | |
| static Region MyRegion = Region.EU_WEST_1; | |
| public static void printBuckets(S3Client client) { | |
| System.out.println("> List the buckets in our account.\n"); | |
| System.out.println("> ================================="); | |
| // List the buckets in MyRegion | |
| List<Bucket> bucketList = client.listBuckets().buckets(); | |
| for (int i = 0; i < bucketList.size(); i++) { | |
| System.out.println(bucketList.get(i).name()); | |
| } | |
| } | |
| public static void printUserIdentity(StsClient client) { | |
| System.out.println("> Which credentials are being used for this client?"); | |
| System.out.println("> ===================================================?"); | |
| GetCallerIdentityResponse callerIdentity1 = client.getCallerIdentity(); | |
| System.out.println("RoleArn: " + callerIdentity1.arn()); | |
| System.out.println("Account: " + callerIdentity1.account()); | |
| System.out.println("UserID: " + callerIdentity1.userId()); | |
| } | |
| public static void main(String[] args) { | |
| // ============================================================================================================= | |
| // Attempt to find credentials using the default provider chain. | |
| // https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html#credentials-default | |
| // ============================================================================================================= | |
| try { | |
| // Check the role that is being used with the default credentials chain. | |
| StsClient stsClient1 = StsClient.builder() | |
| .region(MyRegion) | |
| .build(); | |
| printUserIdentity(stsClient1); | |
| System.out.println("\n"); | |
| // Print the s3 buckets that these credentials can access | |
| S3Client s3Client1 = S3Client.builder() | |
| .region(MyRegion) | |
| .build(); | |
| printBuckets(s3Client1); | |
| } catch (SdkClientException err) { | |
| System.out.println("Could not use the default provider."); | |
| System.out.println(err); | |
| } | |
| System.out.println("\n\n"); | |
| // ============================================================================================================= | |
| // Force the use of the container credential provider - this is only available to tasks with a task_role set. | |
| // ============================================================================================================= | |
| try { | |
| // Check the role that is being used with the default credentials chain. | |
| StsClient stsClient2 = StsClient.builder() | |
| .region(MyRegion) | |
| .credentialsProvider(ContainerCredentialsProvider.builder().build()) | |
| .build(); | |
| printUserIdentity(stsClient2); | |
| System.out.println("\n"); | |
| // Print the s3 buckets that these credentials can access | |
| S3Client s3Client2 = S3Client.builder() | |
| .region(MyRegion) | |
| .credentialsProvider(ContainerCredentialsProvider.builder().build()) | |
| .build(); | |
| printBuckets(s3Client2); | |
| } catch (SdkClientException err) { | |
| System.out.println("Could not use the task role."); | |
| System.out.println(err); | |
| } | |
| System.out.println("\n\n"); | |
| // ============================================================================================================= | |
| // Force the use of the instance credentials. This can be blocked with an appropriate iptables rule: | |
| // https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html | |
| // ============================================================================================================= | |
| try { | |
| // Check the role that is being used with the default credentials chain. | |
| StsClient stsClient3 = StsClient.builder() | |
| .region(MyRegion) | |
| .credentialsProvider(InstanceProfileCredentialsProvider.builder().build()) | |
| .build(); | |
| printUserIdentity(stsClient3); | |
| System.out.println("\n"); | |
| // Print the s3 buckets that these credentials can access | |
| S3Client s3Client3 = S3Client.builder() | |
| .region(MyRegion) | |
| .credentialsProvider(InstanceProfileCredentialsProvider.builder().build()) | |
| .build(); | |
| printBuckets(s3Client3); | |
| } catch (SdkClientException err) { | |
| System.out.println("Could not use the instance role."); | |
| System.out.println(err); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment