Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Java SDK not finding profile when using AWS SSO

I can't reach aws when my login is made using AWS SSO. I login from my computer using:

aws sso login --profile staging

The profile is configured like this:

[profile staging]
sso_start_url = https://som-nice-working-url
sso_region = us-east-1
sso_account_id = 1234
sso_role_name = the-role-name
region = eu-west-1
output = yaml

After doing the login I can access aws through aws cli.

Then I set the varible: AWS_PROFILE=staging But on java I'm getting the following exception:

com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: You must specify a value for roleArn and roleSessionName, com.amazonaws.auth.profile.ProfileCredentialsProvider@369a95a5: No AWS profile named 'staging', com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6d6f6ca9: Failed to connect to service endpoint: ]

I have tryed using the ProfileCredentialsProvider with "staging" but the result is the same.

What CredentialsProvider should I use?

My code is using the DefaultProviderChain:

AWSGlueClient.builder()
            .withRegion("eu-west-1")
            .build()

Thank you.

like image 451
gorogoro Avatar asked Sep 25 '20 10:09

gorogoro


Video Answer


2 Answers

For a Java application you'll need the SSO Dependency.

As of writing the latest is version 2.16.76

// Gradle example
dependencies {
    
    implementation(platform("software.amazon.awssdk:bom:2.16.70"))
    implementation("software.amazon.awssdk:sso:2.16.76")
}

You'll also need to set a default profile in either ~/.aws/configuration or ~/.aws/credentials

More info below:

https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/setup.html#setup-credentials https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/setup-additional.html#setup-additional-credentials

But, you should also be able to just set the AWS_PROFILE environment variable to your profile and it should just magically work without the SSO dependency.

In your example, specifically:

AWS_PROFILE=staging
like image 130
Archmede Avatar answered Nov 05 '22 06:11

Archmede


In my case, just adding the aws-sso dependency:

    <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sso</artifactId>
    </dependency>

allows the default credentials providers chain to pick up sso under ProfileCredentialsProvider: Profile credentials provider with sso profile

To work out of the box, it requires from you to have the [default] profile specified. Otherwise, simply using .credentialsProvider(ProfileCredentialsProvider.create("xyz")) also works with [profile xyz].

If all fails, add the credentials provider manually:

  1. Setup your profile file .aws/config
  2. Login with cli aws sso login --profile <your_profile>
  3. A json file is generated in .aws/sso/cache with contents as described here
{
 "startUrl": "https://my-sso-portal.awsapps.com/start",
 "region": "us-east-1",
 "accessToken": "eyJlbmMiOiJBM….",
 "expiresAt": "2020-06-17T10:02:08UTC"
}
  1. Include in your project a dependency to software.amazon.awssdk:sso
  2. Create SsoCredentialsProvider with the data from json file:
CredentialsProvider ssoCredentialsProvider = ((SsoCredentialsProvider.Builder) SsoCredentialsProvider.builder())
.ssoClient(SsoClient.builder().region(<REGION_FROM_JSON>).build())
.refreshRequest( () ->
    GetRoleCredentialsRequest.builder()
      .roleName("<ROLE_FROM_PROFILE>")
      .accountId("<ACCOUNT_ID_FROM_PROFILE>")
      .accessToken("<ACCESS_TOKEN_FROM_JSON>")
      .build()
).build();
like image 44
nluk Avatar answered Nov 05 '22 06:11

nluk