在使用AWS Service的过程中,经常需要给AWS Service发http请求进行交互,比如对DynamoDB的CURD操作,S3上传或者下载文件等等。这些请求发送出去之后AWS会对请求中包含的Credentials进行验证,只有通过验证之后才会进行相应的操作,这就保证了安全性。
AWS Credentials
AWS Credentials包含以下四部分内容:
{
"AccessKeyId" : "*************",
"SecretAccessKey" : "*************************************",
"Token" : "***************************************************************************",
"Expiration" : "2021-11-12T10:51:36Z"
}
如何为AWS Java SDK提供AWS credentials
-
使用默认的CredentialsProviderChain:DefaultAWSCredentialsProviderChain
-
该方式时AWS官方推荐的方式
-
-
使用某个具体的CredentialsProvider或者CredentialsProviderChain,也可以根据自己的需求创建自己的CredentialsProvider或者CredentialsProviderChain
-
直接提供Credentials,Credentials可以是root账户的credentials,IAM用户的credentials,也可以是通过AWS STS服务获取到的temporary credentials
DefaultAWSCredentialsProviderChain
CredentialsProviderChain提供了四个CredentialsProvider:
- EnvironmentVariableCredentialsProvider
- 从操作系统环境变量中读取Credentials信息
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN
- 不包含更新逻辑,,若token过期,需要自己主动对环境变量中的值进行更新
- 从操作系统环境变量中读取Credentials信息
- SystemPropertiesCredentialsProvider
- 从java系统属性中读取Credentials信息
- aws.accessKeyId
- aws.secretKey
- aws.sessionToken
- 不包含更新逻辑,,若token过期,需要自己主动对java系统属性中的值进行更新
- 从java系统属性中读取Credentials信息
- ProfileCredentialsProvider
- 从~/.aws/credentials文件中读取Credentials信息
- [default]
aws_access_key_id = ***
aws_secret_access_key = *************
aws_session_token = ********************************
- EC2ContainerCredentialsProviderWrapper
- 如果设置了AWS_CONTAINER_CREDENTIALS_RELATIVE_URI或者AWS_CONTAINER_CREDENTIALS_FULL_URI环境变量,就使用Amazon EC2 container service分发给EC2的credentials
- container credentials可以通过在EC2上向以下地址发送请求读取到:
- http://169.254.170.2/${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}
- ${AWS_CONTAINER_CREDENTIALS_FULL_URI}
- 否则就使用Amazon EC2 metadata service分发的Instance profile credentials
- Instance profile credentials可以通过在EC2上向以下地址发送请求读取到:
- http://169.254.169.254/latest/meta-data/iam/security-credentials/${ec2_role}
- 如果设置了AWS_CONTAINER_CREDENTIALS_RELATIVE_URI或者AWS_CONTAINER_CREDENTIALS_FULL_URI环境变量,就使用Amazon EC2 container service分发给EC2的credentials
package com.amazonaws.auth;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
/**
* AWS credentials provider chain that looks for credentials in this order:
* <ul>
* <li>Environment Variables -
* <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code>
* (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET),
* or <code>AWS_ACCESS_KEY</code> and <code>AWS_SECRET_KEY</code> (only recognized by Java SDK)
* </li>
* <li>Java System Properties - aws.accessKeyId and aws.secretKey</li>
* <li>Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI</li>
* <li>Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set
* and security manager has permission to access the variable,</li>
* <li>Instance profile credentials delivered through the Amazon EC2 metadata service</li>
* </ul>
*
* @see EnvironmentVariableCredentialsProvider
* @see SystemPropertiesCredentialsProvider
* @see ProfileCredentialsProvider
* @see EC2ContainerCredentialsProviderWrapper
*/
public class DefaultAWSCredentialsProviderChain extends AWSCredentialsProviderChain {
private static final DefaultAWSCredentialsProviderChain INSTANCE
= new DefaultAWSCredentialsProviderChain();
public DefaultAWSCredentialsProviderChain() {
super(new EnvironmentVariableCredentialsProvider(),
new SystemPropertiesCredentialsProvider(),
new ProfileCredentialsProvider(),
new EC2ContainerCredentialsProviderWrapper());
}
public static DefaultAWSCredentialsProviderChain getInstance() {
return INSTANCE;
}
}
AWSCredentialsProviderChain
package com.amazonaws.auth;
import java.util.LinkedList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.amazonaws.SdkClientException;
/**
* {@link AWSCredentialsProvider} implementation that chains together multiple
* credentials providers. When a caller first requests credentials from this provider,
* it calls all the providers in the chain, in the original order specified,
* until one can provide credentials, and then returns those credentials. If all
* of the credential providers in the chain have been called, and none of them
* can provide credentials, then this class will throw an exception indicated
* that no credentials are available.
* <p>
* By default, this class will remember the first credentials provider in the chain
* that was able to provide credentials, and will continue to use that provider when
* credentials are requested in the future, instead of traversing the chain each time.
* This behavior can be controlled through the {@link #setReuseLastProvider(boolean)} method.
*/
public class AWSCredentialsProviderChain implements AWSCredentialsProvider {
private static final Log log = LogFactory.getLog(AWSCredentialsProviderChain.class);
private final List<AWSCredentialsProvider> credentialsProviders =
new LinkedList<AWSCredentialsProvider>();
private boolean reuseLastProvider = true;
private AWSCredentialsProvider lastUsedProvider;
/**
* Constructs a new AWSCredentialsProviderChain with the specified credential providers. When
* credentials are requested from this provider, it will call each of these credential providers
* in the same order specified here until one of them returns AWS security credentials.
*
* @param credentialsProviders
* The chain of credentials providers.
*/
public AWSCredentialsProviderChain(List<? extends AWSCredentialsProvider> credentialsProviders) {
if (credentialsProviders == null || credentialsProviders.size() == 0) {
throw new IllegalArgumentException("No credential providers specified");
}
this.credentialsProviders.addAll(credentialsProviders);
}
/**
* Constructs a new AWSCredentialsProviderChain with the specified credential providers. When
* credentials are requested from this provider, it will call each of these credential providers
* in the same order specified here until one of them returns AWS security credentials.
*
* @param credentialsProviders
* The chain of credentials providers.
*/
public AWSCredentialsProviderChain(AWSCredentialsProvider... credentialsProviders) {
if (credentialsProviders == null || credentialsProviders.length == 0) {
throw new IllegalArgumentException("No credential pr