tessl/maven-software-amazon-awssdk--auth
Authentication library providing comprehensive signing and credential management capabilities for AWS services.
credential-management.mddocs/
Credential Management
Core credential types providing secure AWS authentication through immutable credential objects with builder pattern support and optional metadata.
Capabilities
AwsCredentials Interface
Base interface for AWS authentication credentials providing access to access key and secret access key.
/**
* Base interface for AWS credentials providing access to AWS access key and secret key
* Extends AwsCredentialsIdentity for compatibility with identity framework
*/
interface AwsCredentials extends AwsCredentialsIdentity {
String accessKeyId();
String secretAccessKey();
Optional<String> providerName();
Optional<String> accountId();
}AwsBasicCredentials Class
Immutable implementation of basic AWS credentials containing access key and secret access key.
/**
* Basic implementation of AWS credentials with access key and secret key
* Immutable class with builder pattern support
*/
final class AwsBasicCredentials implements AwsCredentials, ToCopyableBuilder<Builder, AwsBasicCredentials> {
/**
* Create basic credentials from access key and secret key
* @param accessKeyId AWS access key ID
* @param secretAccessKey AWS secret access key
* @return new AwsBasicCredentials instance
*/
static AwsBasicCredentials create(String accessKeyId, String secretAccessKey);
/**
* Create builder for custom configuration
* @return Builder instance
*/
static Builder builder();
String accessKeyId();
String secretAccessKey();
Optional<String> providerName();
Optional<String> accountId();
Builder toBuilder();
interface Builder extends CopyableBuilder<Builder, AwsBasicCredentials> {
Builder accessKeyId(String accessKeyId);
Builder secretAccessKey(String secretAccessKey);
Builder providerName(String providerName);
Builder accountId(String accountId);
AwsBasicCredentials build();
}
}Usage Examples:
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
// Create basic credentials
AwsBasicCredentials credentials = AwsBasicCredentials.create(
"AKIAIOSFODNN7EXAMPLE",
"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
);
// Using builder for additional metadata
AwsBasicCredentials credentialsWithMetadata = AwsBasicCredentials.builder()
.accessKeyId("AKIAIOSFODNN7EXAMPLE")
.secretAccessKey("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")
.providerName("MyCustomProvider")
.accountId("123456789012")
.build();
// Create modified copy using builder
AwsBasicCredentials updatedCredentials = credentials.toBuilder()
.providerName("UpdatedProvider")
.build();AwsSessionCredentials Class
AWS credentials with session token for temporary access, commonly used with AWS STS (Security Token Service).
/**
* AWS credentials with session token for temporary access
* Extends AwsCredentials and AwsSessionCredentialsIdentity
*/
final class AwsSessionCredentials implements AwsCredentials, AwsSessionCredentialsIdentity,
ToCopyableBuilder<Builder, AwsSessionCredentials> {
/**
* Create session credentials with access key, secret key, and session token
* @param accessKey AWS access key ID
* @param secretKey AWS secret access key
* @param sessionToken AWS session token
* @return new AwsSessionCredentials instance
*/
static AwsSessionCredentials create(String accessKey, String secretKey, String sessionToken);
/**
* Create builder for custom configuration including expiration time
* @return Builder instance
*/
static Builder builder();
String accessKeyId();
String secretAccessKey();
String sessionToken();
Optional<Instant> expirationTime();
Optional<String> providerName();
Optional<String> accountId();
Builder toBuilder();
interface Builder extends CopyableBuilder<Builder, AwsSessionCredentials> {
Builder accessKeyId(String accessKeyId);
Builder secretAccessKey(String secretAccessKey);
Builder sessionToken(String sessionToken);
Builder expirationTime(Instant expirationTime);
Builder providerName(String providerName);
Builder accountId(String accountId);
AwsSessionCredentials build();
}
}Usage Examples:
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import java.time.Instant;
// Create session credentials from STS response
AwsSessionCredentials sessionCredentials = AwsSessionCredentials.create(
"AKIAIOSFODNN7EXAMPLE",
"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"AQoDYXdzEJr...<remainder of security token>"
);
// Using builder with expiration time
AwsSessionCredentials credentialsWithExpiry = AwsSessionCredentials.builder()
.accessKeyId("AKIAIOSFODNN7EXAMPLE")
.secretAccessKey("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")
.sessionToken("AQoDYXdzEJr...<remainder of security token>")
.expirationTime(Instant.now().plusSeconds(3600)) // 1 hour from now
.providerName("STSCredentialsProvider")
.accountId("123456789012")
.build();
// Check if credentials are expired
if (credentialsWithExpiry.expirationTime().isPresent()) {
Instant expiry = credentialsWithExpiry.expirationTime().get();
if (expiry.isBefore(Instant.now())) {
// Credentials are expired, need to refresh
}
}AwsCredentialsProvider Interface
Functional interface for loading AWS credentials with support for both synchronous and asynchronous resolution.
/**
* Functional interface for loading AWS credentials
* Supports both sync and async credential resolution
*/
@FunctionalInterface
interface AwsCredentialsProvider extends IdentityProvider<AwsCredentialsIdentity> {
/**
* Resolve credentials synchronously
* @return AwsCredentials instance
* @throws SdkClientException if credentials cannot be resolved
*/
AwsCredentials resolveCredentials();
/**
* Return the identity type this provider handles
* @return Class representing AwsCredentialsIdentity
*/
default Class<AwsCredentialsIdentity> identityType() {
return AwsCredentialsIdentity.class;
}
/**
* Resolve credentials asynchronously
* @param request resolve identity request
* @return CompletableFuture with resolved identity
*/
default CompletableFuture<AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest request) {
return CompletableFuture.supplyAsync(() -> resolveCredentials());
}
}Usage Examples:
import software.amazon.awssdk.auth.credentials.*;
// Create custom credential provider
AwsCredentialsProvider customProvider = () -> {
// Custom logic to retrieve credentials
return AwsBasicCredentials.create("key", "secret");
};
// Use provider to resolve credentials
AwsCredentials credentials = customProvider.resolveCredentials();
// Async resolution
CompletableFuture<AwsCredentialsIdentity> futureCredentials =
customProvider.resolveIdentity(ResolveIdentityRequest.builder().build());Error Handling
Credential resolution may throw the following exceptions:
- SdkClientException: When credentials cannot be resolved from any source
- IllegalArgumentException: When invalid parameters are provided to builders
- SecurityException: When access to credential sources is denied
try {
AwsCredentials credentials = provider.resolveCredentials();
} catch (SdkClientException e) {
// Handle credential resolution failure
logger.error("Failed to resolve credentials: " + e.getMessage());
}Utility Classes
CredentialUtils Class
Utility class providing helper methods for working with AWS credentials and credential providers.
/**
* Utility class for AWS credentials operations
* Provides conversion and validation methods
*/
final class CredentialUtils {
/**
* Check if credentials are anonymous (null or empty access key)
* @param credentials AWS credentials to check
* @return true if credentials are anonymous, false otherwise
*/
static boolean isAnonymous(AwsCredentials credentials);
/**
* Check if credential identity is anonymous
* @param credentials AWS credentials identity to check
* @return true if credentials are anonymous, false otherwise
*/
static boolean isAnonymous(AwsCredentialsIdentity credentials);
/**
* Convert AwsCredentialsIdentity to AwsCredentials
* @param awsCredentialsIdentity credentials identity to convert
* @return AwsCredentials instance
*/
static AwsCredentials toCredentials(AwsCredentialsIdentity awsCredentialsIdentity);
/**
* Convert generic identity provider to AWS credentials provider
* @param identityProvider generic identity provider
* @return AwsCredentialsProvider instance
*/
static AwsCredentialsProvider toCredentialsProvider(
IdentityProvider<? extends AwsCredentialsIdentity> identityProvider);
}Usage Examples:
import software.amazon.awssdk.auth.credentials.CredentialUtils;
// Check if credentials are anonymous
AwsCredentials credentials = // ... obtain credentials
boolean isAnonymous = CredentialUtils.isAnonymous(credentials);
if (isAnonymous) {
System.out.println("Using anonymous credentials");
} else {
System.out.println("Using authenticated credentials");
}
// Convert identity to credentials
AwsCredentialsIdentity identity = // ... obtain identity
AwsCredentials converted = CredentialUtils.toCredentials(identity);
// Convert identity provider to credentials provider
IdentityProvider<AwsCredentialsIdentity> genericProvider = // ...
AwsCredentialsProvider credentialsProvider =
CredentialUtils.toCredentialsProvider(genericProvider);Supporting Interfaces
HttpCredentialsProvider Interface
Base interface for HTTP-based credential providers such as EC2 instance metadata and container metadata providers.
/**
* Base interface for HTTP-based credential providers
* Extends AwsCredentialsProvider and SdkAutoCloseable for resource management
*/
interface HttpCredentialsProvider extends AwsCredentialsProvider, SdkAutoCloseable {
// Inherits resolveCredentials() from AwsCredentialsProvider
// Inherits close() from SdkAutoCloseable
}Install with Tessl CLI
npx tessl i tessl/maven-software-amazon-awssdk--auth