Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STSAssumeRoleSessionCredentialsProvider with external ID #367

Closed
jnewbigin opened this issue Aug 14, 2018 · 5 comments
Closed

STSAssumeRoleSessionCredentialsProvider with external ID #367

jnewbigin opened this issue Aug 14, 2018 · 5 comments
Labels
enhancement

Comments

@jnewbigin
Copy link

I am successfully using:
AWSCredentialsProvider = STSAssumeRoleSessionCredentialsProvider|arn:aws:iam::<account_id>:role/<role_name>|<session_name>

However I am now required to add an external id for the assume role.

STSAssumeRoleSessionCredentialsProvider does support this but there does not seem to be a way to pass it in via the AWSCredentialsProviderPropertyValueDecoder.

I am not a java expert so it may be that it is not obvious exactly how to do that.

Question 2:
If I must write my own custom provider to get this functionality, must I also use the com.amazonaws.auth. namespace in order for AWSCredentialsProviderPropertyValueDecoder to find it?
@jnewbigin
Copy link
Author

jnewbigin commented Aug 14, 2018
edited
Loading

I found the answer to Q2 by my self.
* 3. Customer provides a custom credentials provider with full name of provider

@jnewbigin
Copy link
Author

I managed to get my requirement working by adding this class

package com.au.zzz;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.AWSSessionCredentialsProvider;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;

public class ZZZCredentialsProvider implements AWSSessionCredentialsProvider {
        private STSAssumeRoleSessionCredentialsProvider provider;

        public ZZZCredentialsProvider(String roleArn, String roleSessionName, String roleExternalId) {
                provider = new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, roleSessionName).withExternalId(roleExternalId).build();
        }

        public AWSSessionCredentials getCredentials() {
                return provider.getCredentials();
        }

        public void refresh() {
        }
}

And then properties
AWSCredentialsProvider = com.au.zzz.ZZZCredentialsProvider|arn:aws:iam::<account_id>:role/<role_name>|<session_name>|<external_id>

@jnewbigin
Copy link
Author

If AWSCredentialsProviderPropertyValueDecoder had some mechanism to use the Builder pattern rather than string constructors then we would not need to write custom java code.

@pfifer
Copy link
Contributor

pfifer commented Aug 23, 2018

Thanks for reporting this.

We are currently working on the MultiLang Daemon for the 2.x release, and will be looking at making credentials creation easier.

stair-aws added a commit to stair-aws/amazon-kinesis-client that referenced this issue Aug 3, 2023
@stair-aws
[awslabs#367] Enhanced multi-lang AWSCredentialsProvider=... decode…
aea3b60 
…r and construction.

+ added support for external ids (issue awslabs#367)
+ added support for endpoint+region (e.g., STS via VPC)
stair-aws added a commit to stair-aws/amazon-kinesis-client that referenced this issue Aug 3, 2023
@stair-aws
[awslabs#367] Enhanced multi-lang AWSCredentialsProvider=... decode…
e6b51b7 
…r and construction.

+ added support for external ids (issue awslabs#367)
+ added support for endpoint+region (e.g., STS via VPC)
stair-aws added a commit to stair-aws/amazon-kinesis-client that referenced this issue Aug 3, 2023
@stair-aws
[awslabs#367] Enhanced multi-lang AWSCredentialsProvider=... decode…
0bea768 
…r and construction.

+ added support for external ids (issue awslabs#367)
+ added support for endpoint+region (e.g., STS via VPC)
@stair-aws stair-aws mentioned this issue Aug 3, 2023
Merged
stair-aws added a commit to stair-aws/amazon-kinesis-client that referenced this issue Aug 3, 2023
@stair-aws
[awslabs#367] Enhanced multi-lang AWSCredentialsProvider=... decode…
5389a0f 
…r and construction.

+ added support for external ids (issue awslabs#367)
+ added support for endpoint+region (e.g., STS via VPC)
stair-aws added a commit to stair-aws/amazon-kinesis-client that referenced this issue Aug 3, 2023
@stair-aws
[awslabs#367] Enhanced multi-lang AWSCredentialsProvider=... decode…
c0be0cb 
…r and construction.

+ added support for external ids (issue awslabs#367)
+ added support for endpoint+region (e.g., STS via VPC)
stair-aws added a commit to stair-aws/amazon-kinesis-client that referenced this issue Aug 4, 2023
@stair-aws
[awslabs#367] Enhanced multi-lang AWSCredentialsProvider=... decode…
1295088 
…r and construction.

+ added support for external ids (issue awslabs#367)
+ added support for endpoint+region (e.g., STS via VPC)
stair-aws added a commit that referenced this issue Aug 7, 2023
@stair-aws
[#367] Enhanced multi-lang AWSCredentialsProvider=... decoder and c… (
2f4ff65 
#1184)

* [#367] Enhanced multi-lang `AWSCredentialsProvider=...` decoder and construction.

+ added support for external ids (issue #367)
+ added support for endpoint+region (e.g., STS via VPC)

* Multiple multi-lang edits to introduce logging and additional tests.

+ added `ENDPOINT_REGION` nested key for a simpler Cx experience
+ deduplicated, and improved, logic w.r.t. CredentialsProvider
construction to NOT swallow Exceptions

* Relocated `multilang.properties` from `main/resources` to `test/resources`
@stair-aws stair-aws mentioned this issue Aug 7, 2023
Merged
@stair-aws
Copy link
Contributor

(Please disregard the unintentional spam from force-pushing.)

Starting w/ KCL 2.5.2, you no longer need to author your own Java class(es) to set an external id. This can now be done by appending an optional nested property of |externalId=<externalId>. You can read more about this documented feature here: https://github.com/awslabs/amazon-kinesis-client/blob/master/docs/multilang/configuring-credential-providers.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jnewbigin @pfifer @stair-aws and others