tessl/maven-com-amazonaws--aws-java-sdk-sts
Java client library for Amazon Web Services Security Token Service (AWS STS) enabling temporary security credentials and federated user access
—
Pending
utilities.mddocs/
Utility Operations
Utility operations for debugging authorization failures, retrieving caller identity, and determining account ownership of access keys. These operations provide essential diagnostic and identity information for AWS STS workflows.
Capabilities
Caller Identity Retrieval
Returns details about the IAM user or role whose credentials are used to call the operation.
/**
* Returns details about the IAM user or role whose credentials are used to call the operation
* @param getCallerIdentityRequest Request object (no parameters required)
* @return Result containing user ID, account ID, and ARN of the calling entity
*/
GetCallerIdentityResult getCallerIdentity(GetCallerIdentityRequest getCallerIdentityRequest);Request and Result Types:
public class GetCallerIdentityRequest extends AmazonWebServiceRequest {
public GetCallerIdentityRequest();
// No parameters required
}
public class GetCallerIdentityResult {
public String getUserId();
public void setUserId(String userId);
public String getAccount();
public void setAccount(String account);
public String getArn();
public void setArn(String arn);
}Usage Examples:
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.model.*;
// Basic caller identity request
GetCallerIdentityRequest request = new GetCallerIdentityRequest();
GetCallerIdentityResult result = stsClient.getCallerIdentity(request);
System.out.println("User ID: " + result.getUserId());
System.out.println("Account: " + result.getAccount());
System.out.println("ARN: " + result.getArn());
// Example output for IAM user:
// User ID: AIDACKCEVSQ6C2EXAMPLE
// Account: 123456789012
// ARN: arn:aws:iam::123456789012:user/DevUser
// Example output for assumed role:
// User ID: AROAEXAMPLE:RoleSessionName
// Account: 123456789012
// ARN: arn:aws:sts::123456789012:assumed-role/MyRole/RoleSessionName
// Application identity verification
public class IdentityVerificationService {
private final AWSSecurityTokenService stsClient;
public IdentityVerificationService(AWSSecurityTokenService stsClient) {
this.stsClient = stsClient;
}
/**
* Verify current AWS credentials and return identity information
*/
public IdentityInfo verifyIdentity() {
try {
GetCallerIdentityResult result = stsClient.getCallerIdentity(
new GetCallerIdentityRequest()
);
return new IdentityInfo(
result.getUserId(),
result.getAccount(),
result.getArn(),
determineIdentityType(result.getArn())
);
} catch (Exception e) {
throw new RuntimeException("Failed to verify AWS identity", e);
}
}
private String determineIdentityType(String arn) {
if (arn.contains(":user/")) {
return "IAM_USER";
} else if (arn.contains(":assumed-role/")) {
return "ASSUMED_ROLE";
} else if (arn.contains(":federated-user/")) {
return "FEDERATED_USER";
} else if (arn.contains(":root")) {
return "ROOT_USER";
} else {
return "UNKNOWN";
}
}
public static class IdentityInfo {
private final String userId;
private final String account;
private final String arn;
private final String type;
public IdentityInfo(String userId, String account, String arn, String type) {
this.userId = userId;
this.account = account;
this.arn = arn;
this.type = type;
}
// Getters omitted for brevity
}
}Access Key Information Retrieval
Returns the account identifier for a specified access key ID.
/**
* Returns the account identifier for the specified access key ID
* @param getAccessKeyInfoRequest Request containing the access key ID to query
* @return Result containing the account identifier that owns the access key
*/
GetAccessKeyInfoResult getAccessKeyInfo(GetAccessKeyInfoRequest getAccessKeyInfoRequest);Request and Result Types:
public class GetAccessKeyInfoRequest extends AmazonWebServiceRequest {
public GetAccessKeyInfoRequest();
// Required parameter
public String getAccessKeyId();
public void setAccessKeyId(String accessKeyId);
public GetAccessKeyInfoRequest withAccessKeyId(String accessKeyId);
}
public class GetAccessKeyInfoResult {
public String getAccount();
public void setAccount(String account);
}Usage Examples:
// Check account ownership of an access key
String accessKeyId = "AKIAIOSFODNN7EXAMPLE";
GetAccessKeyInfoRequest request = new GetAccessKeyInfoRequest()
.withAccessKeyId(accessKeyId);
GetAccessKeyInfoResult result = stsClient.getAccessKeyInfo(request);
System.out.println("Access key belongs to account: " + result.getAccount());
// Access key validation service
public class AccessKeyValidationService {
private final AWSSecurityTokenService stsClient;
public AccessKeyValidationService(AWSSecurityTokenService stsClient) {
this.stsClient = stsClient;
}
/**
* Validate if an access key belongs to a specific account
*/
public boolean validateAccessKeyOwnership(String accessKeyId, String expectedAccount) {
try {
GetAccessKeyInfoRequest request = new GetAccessKeyInfoRequest()
.withAccessKeyId(accessKeyId);
GetAccessKeyInfoResult result = stsClient.getAccessKeyInfo(request);
return expectedAccount.equals(result.getAccount());
} catch (Exception e) {
System.err.println("Failed to validate access key: " + e.getMessage());
return false;
}
}
/**
* Determine access key type based on prefix
*/
public String getAccessKeyType(String accessKeyId) {
if (accessKeyId.startsWith("AKIA")) {
return "LONG_TERM"; // IAM user or root user
} else if (accessKeyId.startsWith("ASIA")) {
return "TEMPORARY"; // STS temporary credentials
} else {
return "UNKNOWN";
}
}
/**
* Comprehensive access key analysis
*/
public AccessKeyAnalysis analyzeAccessKey(String accessKeyId) {
try {
GetAccessKeyInfoResult result = stsClient.getAccessKeyInfo(
new GetAccessKeyInfoRequest().withAccessKeyId(accessKeyId)
);
return new AccessKeyAnalysis(
accessKeyId,
result.getAccount(),
getAccessKeyType(accessKeyId),
true // valid
);
} catch (Exception e) {
return new AccessKeyAnalysis(
accessKeyId,
null,
getAccessKeyType(accessKeyId),
false // invalid or inaccessible
);
}
}
public static class AccessKeyAnalysis {
private final String accessKeyId;
private final String account;
private final String type;
private final boolean valid;
public AccessKeyAnalysis(String accessKeyId, String account, String type, boolean valid) {
this.accessKeyId = accessKeyId;
this.account = account;
this.type = type;
this.valid = valid;
}
// Getters omitted for brevity
}
}Authorization Message Decoding
Decodes additional information about authorization status from encoded messages returned by AWS operations.
/**
* Decodes additional information about the authorization status of a request
* @param decodeAuthorizationMessageRequest Request containing the encoded message to decode
* @return Result containing the decoded authorization status message
* @throws InvalidAuthorizationMessageException If the message is invalid or contains invalid characters
*/
DecodeAuthorizationMessageResult decodeAuthorizationMessage(DecodeAuthorizationMessageRequest decodeAuthorizationMessageRequest);Request and Result Types:
public class DecodeAuthorizationMessageRequest extends AmazonWebServiceRequest {
public DecodeAuthorizationMessageRequest();
// Required parameter
public String getEncodedMessage();
public void setEncodedMessage(String encodedMessage);
public DecodeAuthorizationMessageRequest withEncodedMessage(String encodedMessage);
}
public class DecodeAuthorizationMessageResult {
public String getDecodedMessage();
public void setDecodedMessage(String decodedMessage);
}Usage Examples:
// Decode authorization failure message
String encodedMessage = "eyJDb250ZXh0IjogeyJBV1NVc2VySWQiOiAiQUlEQUlPU0ZPRE5ON0VYQU1QTEUi...";
DecodeAuthorizationMessageRequest request = new DecodeAuthorizationMessageRequest()
.withEncodedMessage(encodedMessage);
try {
DecodeAuthorizationMessageResult result = stsClient.decodeAuthorizationMessage(request);
String decodedMessage = result.getDecodedMessage();
System.out.println("Decoded authorization message:");
System.out.println(decodedMessage);
// Parse the JSON message for structured information
// The decoded message contains details like:
// - Whether request was denied due to explicit deny or absence of allow
// - Principal who made the request
// - Requested action and resource
// - Condition key values in the request context
} catch (InvalidAuthorizationMessageException e) {
System.err.println("Invalid authorization message: " + e.getMessage());
}
// Authorization debugging service
public class AuthorizationDebugService {
private final AWSSecurityTokenService stsClient;
public AuthorizationDebugService(AWSSecurityTokenService stsClient) {
this.stsClient = stsClient;
}
/**
* Decode and analyze authorization failure messages
*/
public AuthorizationAnalysis analyzeAuthorizationFailure(String encodedMessage) {
try {
DecodeAuthorizationMessageRequest request = new DecodeAuthorizationMessageRequest()
.withEncodedMessage(encodedMessage);
DecodeAuthorizationMessageResult result = stsClient.decodeAuthorizationMessage(request);
String decodedMessage = result.getDecodedMessage();
// Parse JSON message (implementation would use JSON parser)
return parseAuthorizationMessage(decodedMessage);
} catch (InvalidAuthorizationMessageException e) {
throw new RuntimeException("Cannot decode authorization message", e);
}
}
private AuthorizationAnalysis parseAuthorizationMessage(String decodedMessage) {
// Implementation would parse JSON and extract:
// - deny/allow status
// - principal information
// - requested action
// - resource ARN
// - condition context
return new AuthorizationAnalysis(
"EXPLICIT_DENY", // or "IMPLICIT_DENY"
"arn:aws:iam::123456789012:user/ExampleUser",
"s3:GetObject",
"arn:aws:s3:::example-bucket/key",
decodedMessage
);
}
public static class AuthorizationAnalysis {
private final String denyType;
private final String principal;
private final String action;
private final String resource;
private final String fullMessage;
public AuthorizationAnalysis(String denyType, String principal, String action,
String resource, String fullMessage) {
this.denyType = denyType;
this.principal = principal;
this.action = action;
this.resource = resource;
this.fullMessage = fullMessage;
}
// Getters omitted for brevity
}
}Utility Integration Patterns
Complete Identity and Authorization Service
/**
* Comprehensive service combining all utility operations
*/
public class AWSIdentityAndAuthService {
private final AWSSecurityTokenService stsClient;
public AWSIdentityAndAuthService(AWSSecurityTokenService stsClient) {
this.stsClient = stsClient;
}
/**
* Get complete context about current AWS session
*/
public SessionContext getCurrentSessionContext() {
GetCallerIdentityResult identity = stsClient.getCallerIdentity(
new GetCallerIdentityRequest()
);
return new SessionContext(
identity.getUserId(),
identity.getAccount(),
identity.getArn(),
System.currentTimeMillis()
);
}
/**
* Validate cross-account access key
*/
public boolean validateCrossAccountKey(String accessKeyId, String expectedAccount) {
try {
GetAccessKeyInfoResult result = stsClient.getAccessKeyInfo(
new GetAccessKeyInfoRequest().withAccessKeyId(accessKeyId)
);
return expectedAccount.equals(result.getAccount());
} catch (Exception e) {
return false;
}
}
/**
* Debug authorization failure with detailed analysis
*/
public void debugAuthorizationFailure(String encodedMessage) {
try {
DecodeAuthorizationMessageResult result = stsClient.decodeAuthorizationMessage(
new DecodeAuthorizationMessageRequest().withEncodedMessage(encodedMessage)
);
System.out.println("Authorization Failure Analysis:");
System.out.println("====================================");
System.out.println(result.getDecodedMessage());
// Additional structured analysis would go here
} catch (Exception e) {
System.err.println("Cannot decode authorization message: " + e.getMessage());
}
}
public static class SessionContext {
private final String userId;
private final String account;
private final String arn;
private final long timestamp;
public SessionContext(String userId, String account, String arn, long timestamp) {
this.userId = userId;
this.account = account;
this.arn = arn;
this.timestamp = timestamp;
}
// Getters omitted for brevity
}
}Error Handling Best Practices
/**
* Best practices for handling utility operation errors
*/
public class UtilityErrorHandling {
public void demonstrateErrorHandling(AWSSecurityTokenService stsClient) {
// GetCallerIdentity - generally doesn't fail if credentials are valid
try {
GetCallerIdentityResult identity = stsClient.getCallerIdentity(
new GetCallerIdentityRequest()
);
// Process successful result
} catch (AWSSecurityTokenServiceException e) {
// Handle invalid credentials or service errors
System.err.println("Identity verification failed: " + e.getMessage());
}
// GetAccessKeyInfo - can fail if key doesn't exist or no permission
try {
GetAccessKeyInfoResult keyInfo = stsClient.getAccessKeyInfo(
new GetAccessKeyInfoRequest().withAccessKeyId("AKIAEXAMPLE")
);
// Process successful result
} catch (AWSSecurityTokenServiceException e) {
// Handle invalid access key or permission issues
System.err.println("Access key lookup failed: " + e.getMessage());
}
// DecodeAuthorizationMessage - can fail with invalid message format
try {
DecodeAuthorizationMessageResult decoded = stsClient.decodeAuthorizationMessage(
new DecodeAuthorizationMessageRequest().withEncodedMessage("invalid-message")
);
// Process successful result
} catch (InvalidAuthorizationMessageException e) {
// Handle malformed encoded message
System.err.println("Cannot decode message: " + e.getMessage());
} catch (AWSSecurityTokenServiceException e) {
// Handle other service errors
System.err.println("Service error: " + e.getMessage());
}
}
}Install with Tessl CLI
npx tessl i tessl/maven-com-amazonaws--aws-java-sdk-sts