Configure access to temporary credentials
For increased security, Amazon recommends that you configure the SDK for Java to use temporary credentials instead of long-lived credentials. Temporary credentials consist of access keys (access key id and secret access key) and a session token. We recommend that you configure the SDK to automatically get temporary credentials, since the token refresh process is automatic. You can, however, provide the SDK with temporary credentials directly.
IAM Identity Center configuration
When you configure the SDK to use IAM Identity Center single sign-on access as described in Setup overview in this guide, the SDK automatically uses temporary credentials.
The SDK uses the IAM Identity Center access token to gain access to the IAM role that is
configured with the sso_role_name
setting in your config
file.
The SDK assumes this IAM role and retrieves temporary credentials to use for
Amazon Web Services service requests.
For more details about how the SDK gets temporary credentials from the configuration, see the Understanding IAM Identity Center authentication section of the Amazon SDKs and Tools Reference Guide.
Note
It addition to the configuration that you set in the config
file that works for all projects, each individual Java project requires that the
Maven pom.xml
file contains the following dependencies:
<dependency> <groupId>software.amazon.awssdk</groupId> <artifactId>sso</artifactId> </dependency> <dependency> <groupId>software.amazon.awssdk</groupId> <artifactId>ssooidc</artifactId> </dependency>
The sso
and ssooidc
dependencies provide the code that
enables the SDK for Java 2.x to access temporary credentials.
Retrieve from Amazon access portal
As an alternative to IAM Identity Center single sign-on configuration, you can copy and use temporary credentials available in the Amazon access portal. You can use the temporary credentials in a profile or use them as values for system properties and environment variables.
Set up a local credentials file for temporary credentials
-
In the credentials file, paste the following placeholder text until you paste in working temporary credentials.
[default] aws_access_key_id=
<value from Amazon access portal>
aws_secret_access_key=<value from Amazon access portal>
aws_session_token=<value from Amazon access portal>
-
Save the file. The file
~/.aws/credentials
should now exist on your local development system. This file contains the [default] profile that the SDK for Java uses if a specific named profile is not specified. -
Follow these instructions under the Manual credential refresh heading to copy IAM role credentials from the Amazon access portal.
-
For step 4 in the linked instructions, choose the IAM role name that grants access for your development needs. This role typically has a name like PowerUserAccess or Developer.
-
For step 7, select the Manually add a profile to your Amazon credentials file option and copy the contents.
-
-
Paste the copied credentials into your local
credentials
file and remove the generated profile name. Your file should resemble the following.[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY aws_session_token=IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
-
Save the
credentials
file.
When the SDK for Java creates a service client, it will access these temporary credentials and use them for each request. The settings for the IAM role chosen in step 5a determine how long the temporary credentials are valid. The maximum duration is twelve hours.
After the temporary credentials expire, repeat steps 4 through 7.