无法从环境变量(AWS_ACCESS_KEY_ID(或AWS_ACCESS_KEY)和AWS_SECRET_KEY(或AWS_SECRET_ACCESS_KEY))加载AWS凭证

时间:2020-05-05 09:00:13

标签: spring amazon-web-services spring-boot amazon-s3

我必须使用Spring Boot创建一个访问S3的应用程序。他们不希望accessKey和secretKEy存在于代码中的任何位置。为此,他们给了我一个arn角色,但是如果没有accessKey和secretKey,我不知道如何连接。

由于他们不想在代码中使用这两个参数,因此我决定尝试将其放入我的环境变量中(我不知道这是否对他们有用)。问题仍然存在于我的环境变量中:

These variables have the correct value only I can't show them

(这些变量只有我不能显示的值才正确)

然后在我的Spring Boot应用程序中,我具有以下构造函数:

AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                .withCredentials(new EnvironmentVariableCredentialsProvider())
                .build();

但是,所有这些都会返回以下错误:

Caused by: com.amazonaws.SdkClientException: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
    at com.amazonaws.auth.EnvironmentVariableCredentialsProvider.getCredentials(EnvironmentVariableCredentialsProvider.java:50)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1213)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:789)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:739)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
    ....

我的目的是通过以下角色做到这一点:

AssumeRoleRequest assumeRequest = new 
AssumeRoleRequest().withRoleArn(roleArn).withDurationSeconds(3600)
        .withRoleSessionName(sessionName);
    AssumeRoleResult roleResponse = stsClient.assumeRole(assumeRequest);

    Credentials sessionCredentials = roleResponse.getCredentials();

    BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
            sessionCredentials.getAccessKeyId(),
            sessionCredentials.getSecretAccessKey(),
            sessionCredentials.getSessionToken());

1 个答案:

答案 0 :(得分:0)

您可以使用 STSAssumeRoleSessionCredentialsProvider 担任该角色。如果提供,以下方法使用假定角色。如果不是,它将使用来自 Env varaibales 的凭据。

 @Value("${cloud.aws.assumeRole}")
    private String assumeRoleARN;

    @Bean
    @Primary
    public AWSCredentialsProvider awsCredentialsProvider() {
        if (StringUtils.isNotEmpty(assumeRoleARN)) {
            log.info("Assuming role {}",assumeRoleARN);
            AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                    .withCredentials(new ProfileCredentialsProvider("<<profile_name>>"))
                    .withRegion(US_EAST_1)
                    .build();
            return new STSAssumeRoleSessionCredentialsProvider
                    .Builder(assumeRoleARN, "LocalAssumeRoleSession")
                    .withStsClient(stsClient)
                    .build();
        }
        return DefaultAWSCredentialsProviderChain.getInstance();
    }
相关问题
最新问题