CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-software-amazon-awssdk--auth

Authentication library providing comprehensive signing and credential management capabilities for AWS services.

Overview
Eval results
Files

credential-providers.mddocs/

Credential Providers

Comprehensive set of credential providers for loading AWS credentials from various sources including environment variables, profiles, containers, and instance metadata with automatic fallback chains.

Capabilities

DefaultCredentialsProvider

Default AWS credential provider chain that checks multiple credential sources in order: System Properties → Environment Variables → Web Identity Token → Profile File → Container → Instance Profile.

/**
 * Default credentials provider chain for AWS credentials lookup
 * Implements automatic fallback through multiple credential sources
 */
final class DefaultCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable, 
                                                  ToCopyableBuilder<Builder, DefaultCredentialsProvider> {
    /**
     * Create default provider with singleton behavior (DEPRECATED)
     * @deprecated Use builder() for better resource management
     * @return DefaultCredentialsProvider instance
     */
    @Deprecated
    static DefaultCredentialsProvider create();
    
    /**
     * Create builder for custom configuration
     * @return Builder instance
     */
    static Builder builder();
    
    AwsCredentials resolveCredentials();
    void close();
    Builder toBuilder();
    
    interface Builder extends CopyableBuilder<Builder, DefaultCredentialsProvider> {
        /**
         * Override profile file location
         * @param profileFile profile file supplier
         * @return builder instance
         */
        Builder profileFile(Supplier<ProfileFile> profileFile);
        
        /**
         * Configure profile file using builder
         * @param profileFileBuilderConsumer profile file builder configuration
         * @return builder instance  
         */
        Builder profileFile(Consumer<ProfileFile.Builder> profileFileBuilderConsumer);
        
        /**
         * Set specific profile name to use
         * @param profileName profile name
         * @return builder instance
         */
        Builder profileName(String profileName);
        
        /**
         * Enable reusing the last successful provider
         * @param reuseLastProviderEnabled true to enable reuse
         * @return builder instance
         */
        Builder reuseLastProviderEnabled(Boolean reuseLastProviderEnabled);
        
        /**
         * Enable background credential updates
         * @param asyncCredentialUpdateEnabled true to enable async updates
         * @return builder instance
         */
        Builder asyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled);
        
        DefaultCredentialsProvider build();
    }
}

Usage Examples:

import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;

// Use default chain (deprecated singleton)
DefaultCredentialsProvider provider = DefaultCredentialsProvider.create();

// Recommended: Use builder with custom configuration
DefaultCredentialsProvider customProvider = DefaultCredentialsProvider.builder()
    .profileName("production")
    .reuseLastProviderEnabled(true)
    .build();

// Use and properly close
try (DefaultCredentialsProvider provider = DefaultCredentialsProvider.builder().build()) {
    AwsCredentials credentials = provider.resolveCredentials();
    // Use credentials...
}

AwsCredentialsProviderChain

Chains multiple credential providers with fallback behavior, trying each provider in order until one succeeds.

/**
 * Chains multiple credential providers with fallback behavior
 * Tries providers in order until one successfully returns credentials
 */
final class AwsCredentialsProviderChain implements AwsCredentialsProvider, SdkAutoCloseable,
                                                   ToCopyableBuilder<Builder, AwsCredentialsProviderChain> {
    /**
     * Create provider chain from varargs
     * @param providers credential providers in order
     * @return AwsCredentialsProviderChain instance
     */
    static AwsCredentialsProviderChain of(AwsCredentialsProvider... providers);
    
    /**
     * Create builder for advanced configuration
     * @return Builder instance
     */
    static Builder builder();
    
    AwsCredentials resolveCredentials();
    void close();
    Builder toBuilder();
    
    interface Builder extends CopyableBuilder<Builder, AwsCredentialsProviderChain> {
        /**
         * Enable reusing the last successful provider for performance
         * @param reuseLastProviderEnabled true to enable reuse
         * @return builder instance
         */
        Builder reuseLastProviderEnabled(Boolean reuseLastProviderEnabled);
        
        /**
         * Set the list of credential providers
         * @param credentialsProviders collection of providers
         * @return builder instance
         */
        Builder credentialsProviders(Collection<? extends AwsCredentialsProvider> credentialsProviders);
        
        /**
         * Set credential providers from varargs
         * @param credentialsProviders providers to add
         * @return builder instance
         */
        Builder credentialsProviders(AwsCredentialsProvider... credentialsProviders);
        
        /**
         * Add a single credential provider to the chain
         * @param credentialsProvider provider to add
         * @return builder instance
         */
        Builder addCredentialsProvider(AwsCredentialsProvider credentialsProvider);
        
        AwsCredentialsProviderChain build();
    }
}

Usage Examples:

import software.amazon.awssdk.auth.credentials.*;

// Simple chain creation
AwsCredentialsProviderChain simpleChain = AwsCredentialsProviderChain.of(
    EnvironmentVariableCredentialsProvider.create(),
    ProfileCredentialsProvider.create(),
    InstanceProfileCredentialsProvider.create()
);

// Advanced chain with performance optimization
AwsCredentialsProviderChain optimizedChain = AwsCredentialsProviderChain.builder()
    .reuseLastProviderEnabled(true)
    .addCredentialsProvider(EnvironmentVariableCredentialsProvider.create())
    .addCredentialsProvider(ProfileCredentialsProvider.create("production"))
    .addCredentialsProvider(ContainerCredentialsProvider.create())
    .addCredentialsProvider(InstanceProfileCredentialsProvider.create())
    .build();

StaticCredentialsProvider

Provider that returns static, pre-configured credentials without any external lookups.

/**
 * Provider that returns static credentials
 * Useful for testing or when credentials are known at compile time
 */
final class StaticCredentialsProvider implements AwsCredentialsProvider {
    /**
     * Create provider with static credentials
     * @param credentials static credentials to return
     * @return StaticCredentialsProvider instance
     */
    static StaticCredentialsProvider create(AwsCredentials credentials);
    
    AwsCredentials resolveCredentials();
}

Environment and System Property Providers

Providers that load credentials from environment variables and Java system properties.

SystemSettingsCredentialsProvider

Abstract base class for credential providers that load credentials from system settings (environment variables and system properties).

/**
 * Abstract base class for credential providers that read from system settings
 * Provides common functionality for environment and system property providers
 */
abstract class SystemSettingsCredentialsProvider implements AwsCredentialsProvider {
    /**
     * Create provider instance (implementation-specific)
     * @return SystemSettingsCredentialsProvider instance
     */
    static SystemSettingsCredentialsProvider create();
    
    AwsCredentials resolveCredentials();
}

EnvironmentVariableCredentialsProvider

/**
 * Loads credentials from environment variables
 * Checks AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
 */
final class EnvironmentVariableCredentialsProvider implements AwsCredentialsProvider {
    static EnvironmentVariableCredentialsProvider create();
    AwsCredentials resolveCredentials();
}

/**
 * Loads credentials from Java system properties
 * Checks aws.accessKeyId, aws.secretAccessKey, aws.sessionToken
 */
final class SystemPropertyCredentialsProvider implements AwsCredentialsProvider {
    static SystemPropertyCredentialsProvider create();
    AwsCredentials resolveCredentials();
}

ProfileCredentialsProvider

Loads credentials from AWS profile files (~/.aws/credentials and ~/.aws/config).

/**
 * Loads credentials from AWS profile files
 * Supports profiles, role assumption, and SSO configurations
 */
final class ProfileCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable,
                                                  ToCopyableBuilder<Builder, ProfileCredentialsProvider> {
    /**
     * Create provider for default profile
     * @return ProfileCredentialsProvider instance
     */
    static ProfileCredentialsProvider create();
    
    /**
     * Create provider for specific profile
     * @param profileName name of profile to use
     * @return ProfileCredentialsProvider instance
     */
    static ProfileCredentialsProvider create(String profileName);
    
    /**
     * Create builder for advanced configuration
     * @return Builder instance
     */
    static Builder builder();
    
    AwsCredentials resolveCredentials();
    void close();
    Builder toBuilder();
    
    interface Builder extends CopyableBuilder<Builder, ProfileCredentialsProvider> {
        /**
         * Override profile file location
         * @param profileFile profile file supplier
         * @return builder instance
         */
        Builder profileFile(Supplier<ProfileFile> profileFile);
        
        /**
         * Configure profile file using builder
         * @param profileFileBuilderConsumer profile file builder configuration
         * @return builder instance
         */
        Builder profileFile(Consumer<ProfileFile.Builder> profileFileBuilderConsumer);
        
        /**
         * Set profile name to use
         * @param profileName profile name
         * @return builder instance
         */
        Builder profileName(String profileName);
        
        ProfileCredentialsProvider build();
    }
}

HTTP-Based Providers

Providers that retrieve credentials from HTTP endpoints like EC2 instance metadata and container metadata services.

/**
 * Base interface for HTTP-based credential providers
 * Provides common configuration for endpoint and async behavior
 */
interface HttpCredentialsProvider extends AwsCredentialsProvider, SdkAutoCloseable {
    interface Builder<B extends Builder<B, T>, T extends HttpCredentialsProvider> 
            extends CopyableBuilder<B, T> {
        /**
         * Enable background credential refresh
         * @param asyncCredentialUpdateEnabled true to enable
         * @return builder instance
         */
        B asyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled);
        
        /**
         * Set thread name for async operations
         * @param asyncThreadName thread name
         * @return builder instance
         */
        B asyncThreadName(String asyncThreadName);
        
        /**
         * Override default endpoint URL
         * @param endpoint endpoint URL
         * @return builder instance
         */
        B endpoint(String endpoint);
    }
}

/**
 * Loads credentials from EC2 Instance Metadata Service (IMDS)
 * Uses IMDSv2 by default with fallback to IMDSv1
 */
final class InstanceProfileCredentialsProvider implements HttpCredentialsProvider,
                                                          ToCopyableBuilder<Builder, InstanceProfileCredentialsProvider> {
    static InstanceProfileCredentialsProvider create();
    static Builder builder();
    
    interface Builder extends HttpCredentialsProvider.Builder<Builder, InstanceProfileCredentialsProvider> {
        /**
         * Configure profile file for IMDS settings
         * @param profileFile profile file supplier
         * @return builder instance
         */
        Builder profileFile(Supplier<ProfileFile> profileFile);
        
        /**
         * Set profile name for IMDS configuration
         * @param profileName profile name
         * @return builder instance
         */
        Builder profileName(String profileName);
    }
}

/**
 * Loads credentials from container metadata service (ECS, Greengrass)
 * Uses AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI
 */
final class ContainerCredentialsProvider implements HttpCredentialsProvider,
                                                    ToCopyableBuilder<Builder, ContainerCredentialsProvider> {
    static ContainerCredentialsProvider create();
    static Builder builder();
    
    interface Builder extends HttpCredentialsProvider.Builder<Builder, ContainerCredentialsProvider> {
    }
}

Specialized Providers

Additional providers for specific use cases like external processes and web identity tokens.

/**
 * Loads credentials from external process
 * Executes command specified in profile's credential_process
 */
class ProcessCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable {
    static Builder builder();
    
    interface Builder extends CopyableBuilder<Builder, ProcessCredentialsProvider> {
        Builder command(String command);
        Builder credentialRefreshThreshold(Duration credentialRefreshThreshold);
        Builder processOutputLimit(Long processOutputLimit);
        ProcessCredentialsProvider build();
    }
}

/**
 * Loads credentials using OIDC web identity token from file  
 * Used for service accounts and federated access
 */
class WebIdentityTokenFileCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable {
    static Builder builder();
    
    interface Builder extends CopyableBuilder<Builder, WebIdentityTokenFileCredentialsProvider> {
        Builder roleArn(String roleArn);
        Builder roleSessionName(String roleSessionName);
        Builder webIdentityTokenFile(String webIdentityTokenFile);
        WebIdentityTokenFileCredentialsProvider build();
    }
}

/**
 * Provides anonymous (no-auth) credentials
 * Used for public resources that don't require authentication
 */
final class AnonymousCredentialsProvider implements AwsCredentialsProvider {
    static AnonymousCredentialsProvider create();
    AwsCredentials resolveCredentials();
}

Usage Examples:

import software.amazon.awssdk.auth.credentials.*;

// EC2 instance credentials with custom configuration
InstanceProfileCredentialsProvider instanceProvider = 
    InstanceProfileCredentialsProvider.builder()
        .asyncCredentialUpdateEnabled(true)
        .build();

// Container credentials for ECS tasks
ContainerCredentialsProvider containerProvider = ContainerCredentialsProvider.create();

// Process credentials from external command
ProcessCredentialsProvider processProvider = ProcessCredentialsProvider.builder()
    .command("/usr/local/bin/get-aws-credentials")
    .build();

// Web identity token for service accounts
WebIdentityTokenFileCredentialsProvider webIdentityProvider = 
    WebIdentityTokenFileCredentialsProvider.builder()
        .roleArn("arn:aws:iam::123456789012:role/MyRole")
        .roleSessionName("MySession")
        .webIdentityTokenFile("/var/run/secrets/token")
        .build();

// Anonymous credentials for public resources
AnonymousCredentialsProvider anonymousProvider = AnonymousCredentialsProvider.create();

Factory Classes

Utility classes for creating credential providers with shared configuration.

/**
 * Factory for creating profile-based credential providers
 */
class ProfileCredentialsProviderFactory {
    AwsCredentialsProvider create(String profileName);
}

/**
 * Factory for creating child profile credential providers
 */
class ChildProfileCredentialsProviderFactory {
    AwsCredentialsProvider create(ProfileFile profileFile, String profileName);
}

/**
 * Factory for creating web identity token credential providers
 */
class WebIdentityTokenCredentialsProviderFactory {
    AwsCredentialsProvider create(String roleArn, String roleSessionName, String webIdentityTokenFile);
}

ProfileProviderCredentialsContext

Context class for providing configuration and dependencies to profile-based credential providers.

/**
 * Context class for profile-based credential provider construction
 * Provides configuration and dependencies required by profile providers
 */
final class ProfileProviderCredentialsContext implements ToCopyableBuilder<Builder, ProfileProviderCredentialsContext> {
    /**
     * Create builder for context configuration
     * @return Builder instance
     */
    static Builder builder();
    
    Builder toBuilder();
    
    interface Builder extends CopyableBuilder<Builder, ProfileProviderCredentialsContext> {
        /**
         * Set profile file supplier
         * @param profileFile profile file supplier
         * @return builder instance
         */
        Builder profileFile(Supplier<ProfileFile> profileFile);
        
        /**
         * Set profile name
         * @param profileName profile name to use
         * @return builder instance  
         */
        Builder profileName(String profileName);
        
        ProfileProviderCredentialsContext build();
    }
}

Error Handling

Credential providers may encounter various error conditions:

try {
    AwsCredentials credentials = provider.resolveCredentials();
} catch (SdkClientException e) {
    // Credential resolution failed - check cause for specific error
    if (e.getCause() instanceof FileNotFoundException) {
        // Profile file not found
    } else if (e.getCause() instanceof IOException) {
        // Network error accessing metadata service
    }
}

Common error scenarios:

  • Profile not found: Specified profile doesn't exist in configuration files
  • Network timeouts: Instance/container metadata services unreachable
  • Permission denied: Insufficient permissions to access credential sources
  • Expired tokens: Session credentials or web identity tokens have expired
  • Malformed responses: Invalid JSON or format from credential sources

Install with Tessl CLI

npx tessl i tessl/maven-software-amazon-awssdk--auth

docs

credential-management.md

credential-providers.md

index.md

request-signing.md

token-authentication.md

tile.json