or run

tessl search
Log in

Version

Files

docs

amazon-cloudwatch.mdamazon-dynamodb.mdamazon-ec2.mdamazon-s3.mdauthentication.mdaws-iam.mdaws-lambda.mdclient-management.mderror-handling.mdindex.md
tile.json

authentication.mddocs/

Authentication

Credential management system supporting multiple authentication methods including environment variables, credential files, IAM roles, and federation.

Capabilities

AWS Credentials Provider Interface

Base interface for all credential providers with automatic refresh capability.

/**
 * Interface for providing AWS credentials with refresh support
 */
public interface AWSCredentialsProvider {
    /**
     * Returns the current AWS credentials for this provider
     * @return Current credentials
     * @throws AmazonClientException If credentials cannot be obtained
     */
    AWSCredentials getCredentials();
    
    /**
     * Forces a refresh of the credentials from the underlying source
     */
    void refresh();
}

/**
 * Basic AWS credentials containing access key and secret key
 */
public interface AWSCredentials {
    /**
     * Returns the AWS access key ID
     * @return Access key ID
     */
    String getAWSAccessKeyId();
    
    /**
     * Returns the AWS secret access key
     * @return Secret access key
     */
    String getAWSSecretKey();
}

/**
 * Extended credentials interface supporting session tokens
 */
public interface AWSSessionCredentials extends AWSCredentials {
    /**
     * Returns the session token for temporary credentials
     * @return Session token
     */
    String getSessionToken();
}

Default Credentials Provider Chain

Standard credential provider that attempts multiple credential sources in order of precedence.

/**
 * Default AWS credentials provider chain that searches for credentials in this order:
 * 1. Environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
 * 2. Java system properties (aws.accessKeyId and aws.secretKey)
 * 3. Web Identity Token credentials from environment or container
 * 4. Credential profiles file (~/.aws/credentials)
 * 5. Amazon ECS container credentials
 * 6. Instance profile credentials from EC2 metadata service
 */
public class DefaultAWSCredentialsProviderChain implements AWSCredentialsProvider {
    /**
     * Creates a new default credentials provider chain
     */
    public DefaultAWSCredentialsProviderChain();
    
    /**
     * Gets credentials from the first available provider in the chain
     * @return AWS credentials from first successful provider
     * @throws AmazonClientException If no credentials found in any provider
     */
    public AWSCredentials getCredentials();
    
    /**
     * Refreshes credentials from all providers in the chain
     */
    public void refresh();
}

Usage Examples:

import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;

// Most common usage - let SDK auto-discover credentials
AWSCredentialsProvider credentialsProvider = new DefaultAWSCredentialsProviderChain();

// Use with any service client
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
    .withCredentials(credentialsProvider)
    .withRegion(Regions.US_EAST_1)
    .build();

// Manual credential check
try {
    AWSCredentials credentials = credentialsProvider.getCredentials();
    System.out.println("Access Key: " + credentials.getAWSAccessKeyId());
} catch (AmazonClientException e) {
    System.err.println("No credentials found: " + e.getMessage());
}

Environment Variable Credentials Provider

Reads credentials from environment variables.

/**
 * Credentials provider that reads from environment variables:
 * - AWS_ACCESS_KEY_ID
 * - AWS_SECRET_ACCESS_KEY
 * - AWS_SESSION_TOKEN (optional, for temporary credentials)
 */
public class EnvironmentVariableCredentialsProvider implements AWSCredentialsProvider {
    /**
     * Creates a new environment variable credentials provider
     */
    public EnvironmentVariableCredentialsProvider();
    
    /**
     * Gets credentials from environment variables
     * @return Credentials from environment
     * @throws AmazonClientException If required environment variables not set
     */
    public AWSCredentials getCredentials();
    
    /**
     * Refreshes credentials by re-reading environment variables
     */
    public void refresh();
}

System Properties Credentials Provider

Reads credentials from Java system properties.

/**
 * Credentials provider that reads from Java system properties:
 * - aws.accessKeyId
 * - aws.secretKey
 * - aws.sessionToken (optional, for temporary credentials)
 */
public class SystemPropertiesCredentialsProvider implements AWSCredentialsProvider {
    /**
     * Creates a new system properties credentials provider
     */
    public SystemPropertiesCredentialsProvider();
    
    /**
     * Gets credentials from system properties
     * @return Credentials from system properties
     * @throws AmazonClientException If required system properties not set
     */
    public AWSCredentials getCredentials();
    
    /**
     * Refreshes credentials by re-reading system properties
     */
    public void refresh();
}

Profile Credentials Provider

Reads credentials from AWS credentials file (~/.aws/credentials).

/**
 * Credentials provider that reads from AWS credentials file
 * Default location: ~/.aws/credentials
 */
public class ProfileCredentialsProvider implements AWSCredentialsProvider {
    /**
     * Creates provider using 'default' profile
     */
    public ProfileCredentialsProvider();
    
    /**
     * Creates provider using specified profile name
     * @param profileName Name of the profile to use
     */
    public ProfileCredentialsProvider(String profileName);
    
    /**
     * Creates provider with custom credentials file path
     * @param credentialsFilePath Path to credentials file
     * @param profileName Name of the profile to use
     */
    public ProfileCredentialsProvider(String credentialsFilePath, String profileName);
    
    /**
     * Gets credentials from the specified profile
     * @return Credentials from profile
     * @throws AmazonClientException If profile not found or invalid
     */
    public AWSCredentials getCredentials();
    
    /**
     * Refreshes credentials by re-reading the credentials file
     */
    public void refresh();
}

Usage Examples:

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

// Use default profile
ProfileCredentialsProvider defaultProfile = new ProfileCredentialsProvider();

// Use specific profile
ProfileCredentialsProvider devProfile = new ProfileCredentialsProvider("development");

// Use custom credentials file
ProfileCredentialsProvider customProfile = new ProfileCredentialsProvider(
    "/path/to/custom/credentials", 
    "production"
);

// Example credentials file format:
// [default]
// aws_access_key_id = YOUR_ACCESS_KEY
// aws_secret_access_key = YOUR_SECRET_KEY
//
// [development]
// aws_access_key_id = DEV_ACCESS_KEY
// aws_secret_access_key = DEV_SECRET_KEY
// aws_session_token = OPTIONAL_SESSION_TOKEN

Static Credentials Provider

Wraps static AWS credentials for programmatic configuration.

/**
 * Credentials provider that wraps static AWSCredentials
 */
public class AWSStaticCredentialsProvider implements AWSCredentialsProvider {
    /**
     * Creates provider with static credentials
     * @param credentials Static credentials to provide
     */
    public AWSStaticCredentialsProvider(AWSCredentials credentials);
    
    /**
     * Returns the static credentials
     * @return Static credentials provided in constructor
     */
    public AWSCredentials getCredentials();
    
    /**
     * No-op for static credentials
     */
    public void refresh();
}

/**
 * Basic implementation of AWSCredentials
 */
public class BasicAWSCredentials implements AWSCredentials {
    /**
     * Creates basic credentials with access key and secret key
     * @param accessKey AWS access key ID
     * @param secretKey AWS secret access key
     */
    public BasicAWSCredentials(String accessKey, String secretKey);
    
    public String getAWSAccessKeyId();
    public String getAWSSecretKey();
}

/**
 * Session credentials with temporary token
 */
public class BasicSessionCredentials implements AWSSessionCredentials {
    /**
     * Creates session credentials with access key, secret key, and session token
     * @param accessKey AWS access key ID
     * @param secretKey AWS secret access key
     * @param sessionToken Temporary session token
     */
    public BasicSessionCredentials(String accessKey, String secretKey, String sessionToken);
    
    public String getAWSAccessKeyId();
    public String getAWSSecretKey();
    public String getSessionToken();
}

Usage Examples:

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;

// Static long-term credentials (not recommended for production)
BasicAWSCredentials basicCredentials = new BasicAWSCredentials(
    "AKIAIOSFODNN7EXAMPLE", 
    "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
);
AWSStaticCredentialsProvider staticProvider = new AWSStaticCredentialsProvider(basicCredentials);

// Static temporary credentials with session token
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
    "AKIAIOSFODNN7EXAMPLE",
    "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "AQoDYXdzEJr...<remainder of session token>"
);
AWSStaticCredentialsProvider sessionProvider = new AWSStaticCredentialsProvider(sessionCredentials);

Container and Instance Metadata Credentials

Credentials provider for ECS containers and EC2 instances using metadata services.

/**
 * Credentials provider wrapper that handles both ECS container credentials
 * and EC2 instance profile credentials via metadata services
 */
public class EC2ContainerCredentialsProviderWrapper implements AWSCredentialsProvider {
    /**
     * Creates provider that automatically detects container vs instance environment
     */
    public EC2ContainerCredentialsProviderWrapper();
    
    /**
     * Gets credentials from container credentials endpoint or instance metadata
     * @return Temporary credentials from metadata service
     * @throws AmazonClientException If metadata service unavailable
     */
    public AWSCredentials getCredentials();
    
    /**
     * Refreshes credentials from metadata service
     */
    public void refresh();
}

/**
 * Credentials provider specifically for EC2 instance profiles
 */
public class InstanceProfileCredentialsProvider implements AWSCredentialsProvider {
    /**
     * Creates provider for EC2 instance profile credentials
     */
    public InstanceProfileCredentialsProvider();
    
    /**
     * Creates provider with refresh interval configuration
     * @param refreshCredentialsAsync Whether to refresh asynchronously
     */
    public InstanceProfileCredentialsProvider(boolean refreshCredentialsAsync);
    
    public AWSCredentials getCredentials();
    public void refresh();
}

Web Identity Token Credentials

Credentials provider for OIDC/federation scenarios using web identity tokens.

/**
 * Credentials provider for web identity token federation
 * Uses STS AssumeRoleWithWebIdentity operation
 */
public class WebIdentityTokenCredentialsProvider implements AWSCredentialsProvider {
    /**
     * Creates provider that reads from environment variables:
     * - AWS_ROLE_ARN: ARN of role to assume
     * - AWS_WEB_IDENTITY_TOKEN_FILE: Path to token file
     * - AWS_ROLE_SESSION_NAME: Optional session name
     */
    public static WebIdentityTokenCredentialsProvider create();
    
    /**
     * Creates provider with explicit parameters
     * @param roleArn ARN of the IAM role to assume
     * @param roleSessionName Session name for the assumed role session
     * @param webIdentityTokenFile Path to web identity token file
     */
    public WebIdentityTokenCredentialsProvider(String roleArn, 
                                             String roleSessionName, 
                                             String webIdentityTokenFile);
    
    /**
     * Gets temporary credentials by assuming role with web identity token
     * @return Temporary session credentials
     * @throws AmazonClientException If token invalid or role assumption fails
     */
    public AWSCredentials getCredentials();
    
    /**
     * Refreshes credentials by re-assuming role
     */
    public void refresh();
}

Anonymous Credentials

Special credentials provider for anonymous access to public resources.

/**
 * Credentials provider for anonymous access
 * Used when accessing public S3 buckets or other public resources
 */
public class AnonymousAWSCredentials implements AWSCredentials {
    /**
     * Creates anonymous credentials
     */
    public AnonymousAWSCredentials();
    
    /**
     * Returns null for anonymous access
     * @return null
     */
    public String getAWSAccessKeyId();
    
    /**
     * Returns null for anonymous access
     * @return null
     */
    public String getAWSSecretKey();
}

Usage Examples:

import com.amazonaws.auth.AnonymousAWSCredentials;
import com.amazonaws.auth.AWSStaticCredentialsProvider;

// Anonymous access for public resources
AWSCredentialsProvider anonymousProvider = new AWSStaticCredentialsProvider(
    new AnonymousAWSCredentials()
);

// Use with S3 for public bucket access
AmazonS3 publicS3Client = AmazonS3ClientBuilder.standard()
    .withCredentials(anonymousProvider)
    .withRegion(Regions.US_EAST_1)
    .build();

// Access public bucket without authentication
ObjectListing listing = publicS3Client.listObjects("public-bucket-name");

Types

/**
 * Exception thrown when credentials cannot be obtained
 */
public class AmazonClientException extends SdkClientException {
    public AmazonClientException(String message);
    public AmazonClientException(String message, Throwable cause);
}

/**
 * Credentials with additional metadata
 */
public interface AWSCredentialsProvider {
    /**
     * Gets expiration time for temporary credentials
     * @return Expiration date, or null for permanent credentials
     */
    Date getExpiration();
}