AWS Java SDK v2 not using IRSA IAM Role in EKS

Question

I have a small application running in EKS, it has attached a Service Account with an IAM Role (IRSA). When the application tries to send an SQS message it fails with:

software.amazon.awssdk.services.sqs.model.SqsException: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied. (Service: Sqs, Status Code: 403

My code is:

    SqsClient sqsClient = SqsClient.builder()
            .region(Region.US_EAST_1)
            .build();

    sqsClient.sendMessage(SendMessageRequest.builder()
            .queueUrl(queueUrl)
            .messageBody(message)
            .build()

I already checked the IAM permissions and they have the correct access and the OIDC trust relationship seems fine. If I enter the pod I can run aws sts get-caller-identity and I get the correct role

bash-4.4# aws sts get-caller-identity
{
    "UserId": "ASDFSDFSDF:botocore-session-12345678",
    "Account": "123456789",
    "Arn": "arn:aws:sts::123456789:assumed-role/eksctl-role/botocore-session-12345678"
}

Why is Java not using this role?

Answer 1

When using IAM Roles for Service Accounts (IRSA) the java library authenticates using WebIdentityTokenFileCredentialsProvider and it requires the sts module to work.

Documentation

Use of this credentials provider requires the 'sts' module to be on the classpath.

Adding the sts dependency in my gradle file solved the issue and now it uses the correct IAM role

implementation platform('software.amazon.awssdk:bom:2.15.0')
implementation 'software.amazon.awssdk:sts'
implementation 'software.amazon.awssdk:sqs'