Path: blob/master/code_examples/java_examples/S3Examples/MakingRequestsWithIAMTempCredentials.java
4084 views
// Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.1// SPDX-License-Identifier: MIT-0 (For details, see https://github.com/awsdocs/amazon-s3-developer-guide/blob/master/LICENSE-SAMPLECODE.)23import com.amazonaws.AmazonServiceException;4import com.amazonaws.SdkClientException;5import com.amazonaws.auth.AWSStaticCredentialsProvider;6import com.amazonaws.auth.BasicSessionCredentials;7import com.amazonaws.auth.profile.ProfileCredentialsProvider;8import com.amazonaws.services.s3.AmazonS3;9import com.amazonaws.services.s3.AmazonS3ClientBuilder;10import com.amazonaws.services.s3.model.ObjectListing;11import com.amazonaws.services.securitytoken.AWSSecurityTokenService;12import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;13import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;14import com.amazonaws.services.securitytoken.model.Credentials;15import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;16import com.amazonaws.services.securitytoken.model.GetSessionTokenResult;1718public class MakingRequestsWithIAMTempCredentials {19public static void main(String[] args) {20String clientRegion = "*** Client region ***";21String roleARN = "*** ARN for role to be assumed ***";22String roleSessionName = "*** Role session name ***";23String bucketName = "*** Bucket name ***";2425try {26// Creating the STS client is part of your trusted code. It has27// the security credentials you use to obtain temporary security credentials.28AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()29.withCredentials(new ProfileCredentialsProvider())30.withRegion(clientRegion)31.build();3233// Assume the IAM role. Note that you cannot assume the role of an AWS root account;34// Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.35AssumeRoleRequest roleRequest = new AssumeRoleRequest()36.withRoleArn(roleARN)37.withRoleSessionName(roleSessionName);38stsClient.assumeRole(roleRequest);3940// Start a session.41GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest();42// The duration can be set to more than 3600 seconds only if temporary43// credentials are requested by an IAM user rather than an account owner.44getSessionTokenRequest.setDurationSeconds(7200);45GetSessionTokenResult sessionTokenResult = stsClient.getSessionToken(getSessionTokenRequest);46Credentials sessionCredentials = sessionTokenResult.getCredentials();4748// Package the temporary security credentials as a BasicSessionCredentials object49// for an Amazon S3 client object to use.50BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(51sessionCredentials.getAccessKeyId(), sessionCredentials.getSecretAccessKey(),52sessionCredentials.getSessionToken());5354// Provide temporary security credentials so that the Amazon S3 client55// can send authenticated requests to Amazon S3. You create the client56// using the basicSessionCredentials object.57AmazonS3 s3Client = AmazonS3ClientBuilder.standard()58.withCredentials(new AWSStaticCredentialsProvider(basicSessionCredentials))59.withRegion(clientRegion)60.build();6162// Verify that assuming the role worked and the permissions are set correctly63// by getting a set of object keys from the bucket.64ObjectListing objects = s3Client.listObjects(bucketName);65System.out.println("No. of Objects: " + objects.getObjectSummaries().size());66}67catch(AmazonServiceException e) {68// The call was transmitted successfully, but Amazon S3 couldn't process69// it, so it returned an error response.70e.printStackTrace();71}72catch(SdkClientException e) {73// Amazon S3 couldn't be contacted for a response, or the client74// couldn't parse the response from Amazon S3.75e.printStackTrace();76}77}78}798081