我们有一个非 AWS Kotlin 应用程序,需要从我们组织外部的 AWS S3 存储下载和处理文件。供应商没有向我们提供永久凭证,而是指示我们使用 aws_signing_helper — 一个使用证书和私钥生成临时凭证的命令行工具。
有没有更好的方法来获取临时凭证,而不是让这个命令行工具与我们的应用程序在同一台机器上运行?我希望有一种使用 SDK 来完成此操作的方法,但我无法在 Amazon 文档中找到任何示例。
我确实对基于 JAVA 和 Spring boot 的代码有类似的要求。
我创建了一个与类似问题相关的博客。链接这里
示例代码存储库位于 Github 这里
代码会在前一组凭证到期之前刷新 AWS 凭证。此操作可基于简单的布尔标志进行配置。
通过这种方法,无需围绕构建包创建自定义来强制包含 aws 签名助手
我希望您可以使用我的链接中提供的大部分代码。
很高兴为您提供进一步帮助
配置示例:-
@Configuration
public class AwsConfig {
@Bean
public AwsCredentialsProvider awsCredentialsProvider(final AwsRolesAnywhereProperties awsRolesAnywhereProperties,
final ObjectMapper objectMapper) {
var rolesAnywhereCredentialsProvider = new IAMRolesAnywhereSessionsCredentialsProvider
.Builder(awsRolesAnywhereProperties, objectMapper)
.asyncCredentialUpdateEnabled(true)
.build();
return rolesAnywhereCredentialsProvider;
}
@Bean
public AwsCredentialsProvider awsCredentialsProviderV2(final AwsRolesAnywhereProperties awsRolesAnywhereProperties,
final ObjectMapper objectMapper) {
var rolesAnywhereCredentialsProvider = new IAMRolesAnywhereSessionsCredentialsProvider
.Builder(objectMapper)
.roleArn(awsRolesAnywhereProperties.getRoleArn())
.profileArn(awsRolesAnywhereProperties.getProfileArn())
.trustAnchorArn(awsRolesAnywhereProperties.getTrustAnchorArn())
.encodedPrivateKey(awsRolesAnywhereProperties.getEncodedPrivateKey())
.encodedX509Certificate(awsRolesAnywhereProperties.getEncodedX509Certificate())
.durationSeconds(awsRolesAnywhereProperties.getDurationSeconds())
.region(awsRolesAnywhereProperties.getRegion())
.asyncCredentialUpdateEnabled(true)
.prefetch(true)
.build();
return rolesAnywhereCredentialsProvider;
}
// pass the credentials provider as anyone would generally do
@Bean
S3Client s3Client(final AwsCredentialsProvider awsCredentialsProvider,
final AwsRolesAnywhereProperties awsRolesAnywhereProperties) {
return S3Client.builder().credentialsProvider(awsCredentialsProvider).region(Region.of(awsRolesAnywhereProperties.getRegion())).build();
}
}
示例应用程序属性,与
AwsRolesAnywhereProperties
严格耦合
# AWS account id
aws.account.id=111111111111
# AWS region for the aws roles anywhere, actual AWS resource client may use a different region
aws.roles.anywhere.region=us-east-1
# AWS IAM roles anywhere trusted role
aws.roles.anywhere.role-arn=arn:aws:iam::${aws.account.id}:role/ROLES_ANYWHERE_S3_READ_ONLY
# AWS IAM roles anywhere profile
aws.roles.anywhere.profile-arn=arn:aws:rolesanywhere:us-east-1:${aws.account.id}:profile/a-random-long-id
# AWS IAM roles anywhere trust anchor
aws.roles.anywhere.trust-anchor-arn=arn:aws:rolesanywhere:us-east-1:${aws.account.id}:trust-anchor/a-random-long-id
# AWS IAM roles anywhere session duration
aws.roles.anywhere.duration-seconds=900
# AWS IAM roles anywhere access related private key, in pem format, base 64 encoded
aws.roles.anywhere.encoded-private-key=removed for security and brevity
# AWS IAM roles anywhere access related X509 Cert, in pem format, base 64 encoded
aws.roles.anywhere.encoded-x509-certificate=removed for security and brevity