'Assume role with WebIdentity request in Java

The microservice in Kubernetes needs to access the API's hosted in a private AWS API gateway. The authentication and authorization is AWS_IAM.

The Kubernetes has the proper environment variables AWS_WEB_IDENTITY_TOKEN_FILE AWS_ROLE_ARN

The pods in Kubernetes are running with service account. For AWS_IAM, we need the session token to be generated.

  1. WebIdentityTokenFileCredentialsProvider.create() helps to generate only access key and access secret. This does not generate the session token.

  2. So basically, we need to convert the sts cli command to Java

    aws sts assume-role-with-web-identity \
 --role-arn $AWS_ROLE_ARN \
 --role-session-name mysession \
 --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE \
 --duration-seconds 1000 > /tmp/irp-cred.txt

  3. I am passing the correct things in the Java code

    AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = AssumeRoleWithWebIdentityRequest.builder()
                .webIdentityToken("file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token")
                        .roleArn("arn:aws:iam::*:role/eks/test")
                                .roleSessionName("user")
                                        .build();
log.info("AssumeRoleWithWebIdentityRequest:{}",assumeRoleWithWebIdentityRequest.toString());

StsClient stsClient =  StsClient.builder()
          .region(region).build();
AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = stsClient.assumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest);
log.info("AssumeRoleWithWebIdentityResponse:{}",assumeRoleWithWebIdentityResponse.toString());

Credentials credentials = assumeRoleWithWebIdentityResponse.credentials();
log.info("credentials, AccessKey:{},AccessSecret:{},AccessToken:{}",credentials.accessKeyId(),credentials.secretAccessKey(),credentials.sessionToken();

  4. I am using below dependency

    <dependency>
    <groupId>software.amazon.awssdk</groupId>
    <artifactId>acm</artifactId>
    <version>2.17.102</version>
</dependency>

But this is not working.

Can someone please help?

javaamazon-eksservice-accountssts


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions