Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support temporary security credentials #18

Open
gspadotto opened this issue Mar 17, 2020 · 0 comments
Open

Support temporary security credentials #18

gspadotto opened this issue Mar 17, 2020 · 0 comments

Comments

@gspadotto
Copy link

Description:
The current implementation relies on the fact that so-called "long-term" credentials are provided.
There are use cases in which the access to the SQS queue (and, generally speaking, AWS services) is temporarily granted through the "Assume Role" functionality, see:
Delegating API Access to AWS Services Using IAM Roles

Beside the existing input parameters, the following ones should be added:

  1. Boolean useDelegation (default: false): in order to distinguish which kind of credentials to use (long or short-term)
  2. String roleArn (mandatory only if "useDelegation" is true): the Role ARN
  3. String roleSessionName (mandatory only if "useDelegation" is true): the Role Session Name

The high-level flow should be like the following:

EndpointConfiguration endpointConfiguration = new EndpointConfiguration("sqs.<REGION_HERE>.amazonaws.com","<REGION_HERE>");

AmazonSQS sqs = AmazonSQSClientBuilder.standard()
					.withEndpointConfiguration(endpointConfiguration)
				.withCredentials(this.getSTSAssumeRoleSessionCredentialsProvider()).build();
...
private AWSCredentialsProvider getSTSAssumeRoleSessionCredentialsProvider() {	
		return new STSAssumeRoleSessionCredentialsProvider.Builder(
						<ROLE_ARN_HERE>, 
						<ROLE_SESSION_NAME_HERE>
				).withStsClient(getAWSSecurityTokenService()).build();
	}	
...
private AWSSecurityTokenService getAWSSecurityTokenService() {	

		AWSCredentialsProvider credentialsProvider = new AWSStaticCredentialsProvider(envCredentials());

		return AWSSecurityTokenServiceClientBuilder.standard()
				.withRegion(<REGION_HERE>)
				.withCredentials(credentialsProvider)
				.build();
	}
...
private AWSCredentials envCredentials() {
		AWSCredentials creds = new XXXXCredentialsProvider().getCredentials();
		log.trace(
				String.format(
						"Long Term Credentials:\nAccessKeyId = %s\nSecretKey = %s",
						creds.getAWSAccessKeyId(),
						creds.getAWSSecretKey()
				)
		);
		return creds;
	}

Suggested Labels:
Improvement

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:
None
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gspadotto