tessl/maven-com-amazonaws--aws-java-sdk-core
Core foundational library for AWS SDK for Java 1.x providing authentication, HTTP transport, regions, protocols, and shared utilities for all AWS service clients
—
Pending
authentication.mddocs/
Authentication & Credentials
The AWS Java SDK Core provides comprehensive authentication and credential management capabilities, supporting multiple credential sources and automatic credential provider chains.
Core Credential Interfaces
Basic Credentials
// Basic AWS credentials interface
interface AWSCredentials {
String getAWSAccessKeyId();
String getAWSSecretKey();
}
// Session-based credentials with temporary token
interface AWSSessionCredentials extends AWSCredentials {
String getSessionToken();
}
// Refreshable session credentials
interface AWSRefreshableSessionCredentials extends AWSSessionCredentials {
void refresh();
}
// Account ID aware credentials
interface AccountIdAware {
String getAccountId();
}
// Provider name aware credentials
interface ProviderNameAware {
String getProviderName();
}Basic Credential Implementations
// Basic access key and secret key credentials
class BasicAWSCredentials implements AWSCredentials {
public BasicAWSCredentials(String accessKey, String secretKey);
public String getAWSAccessKeyId();
public String getAWSSecretKey();
}
// Session credentials with temporary token
class BasicSessionCredentials extends BasicAWSCredentials
implements AWSSessionCredentials {
public BasicSessionCredentials(String accessKey, String secretKey, String sessionToken);
public String getSessionToken();
}
// Anonymous credentials (no authentication)
class AnonymousAWSCredentials implements AWSCredentials {
public String getAWSAccessKeyId(); // Returns null
public String getAWSSecretKey(); // Returns null
}
// Credentials from properties file
class PropertiesCredentials implements AWSCredentials {
public PropertiesCredentials(File file) throws FileNotFoundException, IOException;
public PropertiesCredentials(InputStream inputStream) throws IOException;
public String getAWSAccessKeyId();
public String getAWSSecretKey();
}Credential Providers
Core Provider Interface
// Base credential provider interface
interface AWSCredentialsProvider {
AWSCredentials getCredentials();
void refresh();
}
// Session credential provider interface
interface AWSSessionCredentialsProvider {
AWSSessionCredentials getCredentials();
void refresh();
}Built-in Credential Providers
// Static credential provider
class AWSStaticCredentialsProvider implements AWSCredentialsProvider {
public AWSStaticCredentialsProvider(AWSCredentials credentials);
public AWSCredentials getCredentials();
public void refresh();
}
// Environment variable provider
class EnvironmentVariableCredentialsProvider implements AWSCredentialsProvider {
public AWSCredentials getCredentials();
public void refresh();
public String toString();
}
// System properties provider
class SystemPropertiesCredentialsProvider implements AWSCredentialsProvider {
public AWSCredentials getCredentials();
public void refresh();
public String toString();
}
// AWS profile provider
class ProfileCredentialsProvider implements AWSCredentialsProvider {
public ProfileCredentialsProvider();
public ProfileCredentialsProvider(String profileName);
public ProfileCredentialsProvider(String profilesConfigFilePath, String profileName);
public AWSCredentials getCredentials();
public void refresh();
}
// EC2 instance profile provider
class InstanceProfileCredentialsProvider implements AWSCredentialsProvider {
public static InstanceProfileCredentialsProvider getInstance();
public InstanceProfileCredentialsProvider();
public InstanceProfileCredentialsProvider(boolean refreshCredentialsAsync);
public AWSCredentials getCredentials();
public void refresh();
}
// ECS container credentials provider
class ContainerCredentialsProvider implements AWSCredentialsProvider {
public ContainerCredentialsProvider();
public ContainerCredentialsProvider(CredentialsEndpointProvider credentialsEndpointProvider);
public AWSCredentials getCredentials();
public void refresh();
}
// EC2/ECS wrapper provider
class EC2ContainerCredentialsProviderWrapper implements AWSCredentialsProvider {
public AWSCredentials getCredentials();
public void refresh();
}
// Classpath properties file provider
class ClasspathPropertiesFileCredentialsProvider implements AWSCredentialsProvider {
public ClasspathPropertiesFileCredentialsProvider();
public ClasspathPropertiesFileCredentialsProvider(String credentialsFilePath);
public AWSCredentials getCredentials();
public void refresh();
}
// Properties file provider
class PropertiesFileCredentialsProvider implements AWSCredentialsProvider {
public PropertiesFileCredentialsProvider(String credentialsFilePath);
public AWSCredentials getCredentials();
public void refresh();
}
// Web identity token provider
class WebIdentityTokenCredentialsProvider implements AWSSessionCredentialsProvider {
public static WebIdentityTokenCredentialsProvider create();
public static WebIdentityTokenCredentialsProvider.Builder builder();
public AWSSessionCredentials getCredentials();
public void refresh();
}Default Credential Provider Chain
// Default credential provider chain
class DefaultAWSCredentialsProviderChain extends AWSCredentialsProviderChain {
public static DefaultAWSCredentialsProviderChain getInstance();
public AWSCredentials getCredentials();
public void refresh();
}
// Custom credential provider chain
class AWSCredentialsProviderChain implements AWSCredentialsProvider {
public AWSCredentialsProviderChain(AWSCredentialsProvider... credentialsProviders);
public AWSCredentials getCredentials();
public void refresh();
public void setReuseLastProviderEnabled(boolean reuseLastProviderEnabled);
}Usage Examples
Basic Authentication Setup
import com.amazonaws.auth.*;
// Option 1: Use default credential provider chain (recommended)
AWSCredentialsProvider credentialsProvider =
DefaultAWSCredentialsProviderChain.getInstance();
// Option 2: Static credentials (not recommended for production)
AWSCredentials credentials = new BasicAWSCredentials("accessKey", "secretKey");
AWSCredentialsProvider staticProvider = new AWSStaticCredentialsProvider(credentials);
// Option 3: Specific provider
AWSCredentialsProvider profileProvider = new ProfileCredentialsProvider("my-profile");
// Option 4: Custom chain
AWSCredentialsProviderChain customChain = new AWSCredentialsProviderChain(
new EnvironmentVariableCredentialsProvider(),
new SystemPropertiesCredentialsProvider(),
new ProfileCredentialsProvider(),
new InstanceProfileCredentialsProvider()
);Session Credentials
import com.amazonaws.auth.*;
// Create session credentials with token
AWSSessionCredentials sessionCredentials = new BasicSessionCredentials(
"accessKey", "secretKey", "sessionToken"
);
// Web identity token provider (for assume role with web identity)
WebIdentityTokenCredentialsProvider webIdentityProvider =
WebIdentityTokenCredentialsProvider.builder()
.roleArn("arn:aws:iam::123456789012:role/MyRole")
.roleSessionName("MySession")
.webIdentityTokenFile("/path/to/token/file")
.build();Environment Variables
The SDK recognizes these environment variables:
AWS_ACCESS_KEY_ID- AWS access keyAWS_SECRET_ACCESS_KEY- AWS secret keyAWS_SESSION_TOKEN- AWS session token (for temporary credentials)AWS_PROFILE- AWS profile nameAWS_CREDENTIAL_PROFILES_FILE- Custom credentials file location
System Properties
The SDK recognizes these system properties:
aws.accessKeyId- AWS access keyaws.secretKey- AWS secret keyaws.sessionToken- AWS session token
Request Signers
Core Signer Interface
// Base signer interface
interface Signer {
void sign(Request<?> request, AWSCredentials credentials);
}
// Presigner interface for generating presigned URLs
interface Presigner {
void presignRequest(Request<?> request, AWSCredentials credentials, Date expiration);
}
// Request signer interface
interface RequestSigner {
void sign(Request<?> request);
}AWS Signature Implementations
// AWS Signature Version 4 signer
class AWS4Signer implements Signer, RegionAwareSigner, ServiceAwareSigner {
public AWS4Signer();
public AWS4Signer(boolean doubleUrlEncode);
public void setRegionName(String regionName);
public void setServiceName(String serviceName);
public void sign(Request<?> request, AWSCredentials credentials);
}
// AWS SigV4 with unsigned payload
class AWS4UnsignedPayloadSigner extends AWS4Signer {
public void sign(Request<?> request, AWSCredentials credentials);
}
// AWS Signature Version 3 signer
class AWS3Signer implements Signer {
public void sign(Request<?> request, AWSCredentials credentials);
}
// Query string signer for URL parameters
class QueryStringSigner implements Signer {
public void sign(Request<?> request, AWSCredentials credentials);
}
// No-operation signer (no signing)
class NoOpSigner implements Signer {
public void sign(Request<?> request, AWSCredentials credentials);
}Signer Extensions
// Region-aware signer
interface RegionAwareSigner extends Signer {
void setRegionName(String regionName);
}
// Service-aware signer
interface ServiceAwareSigner extends Signer {
void setServiceName(String serviceName);
}
// Endpoint prefix aware signer
interface EndpointPrefixAwareSigner extends Signer {
void setEndpointPrefix(String endpointPrefix);
}
// Region from endpoint resolver aware signer
interface RegionFromEndpointResolverAwareSigner extends Signer {
void setRegionFromEndpointResolver(Region region);
}
// Signer type awareness
interface SignerTypeAware {
void setSignerType(String signerType);
}
// Marker for handling null credentials
interface CanHandleNullCredentials {
// Marker interface - no methods
}Signer Configuration
// Signer parameters
class SignerParams {
public String getRegionName();
public String getServiceName();
public Date getSigningDate();
public AWSCredentials getCredentials();
}
// Static signer provider
class StaticSignerProvider implements RequestSigner {
public StaticSignerProvider(Signer signer);
public void sign(Request<?> request);
}
// Signing algorithms enumeration
enum SigningAlgorithm {
HmacSHA1("HmacSHA1"),
HmacSHA256("HmacSHA256");
public String toString();
}
// Signature versions
enum SignatureVersion {
V1, V2, V3, V4
}
// SDK clock interface
interface SdkClock {
Date currentDate();
}Policy Framework
Core Policy Classes
// IAM policy representation
class Policy {
public Policy();
public Policy(String json);
public String getId();
public Policy withId(String id);
public List<Statement> getStatements();
public Policy withStatements(Statement... statements);
public String toJson();
}
// Policy statement
class Statement {
public Statement(Effect effect);
public String getId();
public Statement withId(String id);
public Effect getEffect();
public Statement withEffect(Effect effect);
public List<Principal> getPrincipals();
public Statement withPrincipals(Principal... principals);
public List<Action> getActions();
public Statement withActions(Action... actions);
public List<Resource> getResources();
public Statement withResources(Resource... resources);
public List<Condition> getConditions();
public Statement withConditions(Condition... conditions);
enum Effect { Allow, Deny }
}
// Policy principal (user, role, service)
class Principal {
public Principal(String provider, String id);
public Principal(Services service);
public String getProvider();
public String getId();
public Services getService();
enum Services {
AmazonEC2("ec2.amazonaws.com"),
AWSLambda("lambda.amazonaws.com"),
AllUsers("*");
public String getServiceId();
}
}
// Policy action interface
interface Action {
String getActionName();
}
// Policy resource
class Resource {
public Resource(String resource);
public String getResource();
}
// Policy condition
class Condition {
public String getType();
public String getConditionKey();
public List<String> getValues();
}Policy Conditions
// String-based conditions
class StringCondition extends Condition {
public static StringCondition StringEquals(String key, String value);
public static StringCondition StringNotEquals(String key, String value);
public static StringCondition StringLike(String key, String value);
public static StringCondition StringNotLike(String key, String value);
}
// Numeric conditions
class NumericCondition extends Condition {
public static NumericCondition NumericEquals(String key, String value);
public static NumericCondition NumericNotEquals(String key, String value);
public static NumericCondition NumericLessThan(String key, String value);
public static NumericCondition NumericLessThanEquals(String key, String value);
public static NumericCondition NumericGreaterThan(String key, String value);
public static NumericCondition NumericGreaterThanEquals(String key, String value);
}
// Date conditions
class DateCondition extends Condition {
public static DateCondition DateEquals(String key, Date value);
public static DateCondition DateNotEquals(String key, Date value);
public static DateCondition DateLessThan(String key, Date value);
public static DateCondition DateLessThanEquals(String key, Date value);
public static DateCondition DateGreaterThan(String key, Date value);
public static DateCondition DateGreaterThanEquals(String key, Date value);
}
// Boolean conditions
class BooleanCondition extends Condition {
public static BooleanCondition Bool(String key, boolean value);
}
// IP address conditions
class IpAddressCondition extends Condition {
public static IpAddressCondition IpAddress(String key, String ipAddressRange);
public static IpAddressCondition NotIpAddress(String key, String ipAddressRange);
}
// ARN conditions
class ArnCondition extends Condition {
public static ArnCondition ArnEquals(String key, String arn);
public static ArnCondition ArnLike(String key, String arn);
public static ArnCondition ArnNotEquals(String key, String arn);
public static ArnCondition ArnNotLike(String key, String arn);
}
// Condition factory
class ConditionFactory {
public static Condition newCondition(String type, String key, String value);
public static StringCondition newStringCondition(StringComparisonType comparisonType,
String key, String value);
public static NumericCondition newNumericCondition(NumericComparisonType comparisonType,
String key, String value);
public static DateCondition newDateCondition(DateComparisonType comparisonType,
String key, Date value);
public static BooleanCondition newBooleanCondition(String key, boolean value);
public static IpAddressCondition newIpAddressCondition(String key, String ipAddressRange);
public static ArnCondition newArnCondition(ArnComparisonType comparisonType,
String key, String arn);
}Usage Examples
Policy Construction
import com.amazonaws.auth.policy.*;
// Create a simple policy
Policy policy = new Policy()
.withStatements(
new Statement(Statement.Effect.Allow)
.withPrincipals(Principal.AllUsers)
.withActions(new Action() {
public String getActionName() { return "s3:GetObject"; }
})
.withResources(new Resource("arn:aws:s3:::my-bucket/*"))
.withConditions(
StringCondition.StringEquals("aws:Referer", "http://www.example.com/*")
)
);
String policyJson = policy.toJson();Custom Credential Provider
import com.amazonaws.auth.*;
public class CustomCredentialsProvider implements AWSCredentialsProvider {
@Override
public AWSCredentials getCredentials() {
// Custom logic to obtain credentials
String accessKey = getAccessKeyFromCustomSource();
String secretKey = getSecretKeyFromCustomSource();
return new BasicAWSCredentials(accessKey, secretKey);
}
@Override
public void refresh() {
// Custom refresh logic
}
private String getAccessKeyFromCustomSource() {
// Implementation specific to your credential source
return "your-access-key";
}
private String getSecretKeyFromCustomSource() {
// Implementation specific to your credential source
return "your-secret-key";
}
}Best Practices
-
Use Default Credential Provider Chain: Always start with
DefaultAWSCredentialsProviderChain.getInstance()for automatic credential resolution. -
Avoid Hardcoded Credentials: Never hardcode credentials in source code. Use environment variables, profiles, or IAM roles.
-
Use IAM Roles: For EC2 instances and ECS containers, use IAM roles instead of storing credentials.
-
Rotate Credentials: Regularly rotate access keys and use temporary credentials when possible.
-
Secure Credential Files: Ensure credential files have appropriate file permissions (600).
-
Profile Management: Use named profiles for different environments and applications.
-
Session Credentials: Use session credentials for temporary access and assume role operations.
The authentication system provides comprehensive support for all AWS credential types and sources, enabling secure and flexible authentication for AWS service operations.
Install with Tessl CLI
npx tessl i tessl/maven-com-amazonaws--aws-java-sdk-core