At Amazon Web Services (AWS), we’re focused on finding ways to improve our products and provide a better customer experience. To do that, we need your feedback. Please take 5 minutes of your time to share insights regarding your experience with Java Spring and your need for Spring integration with AWS.
Click here to take a quick survey
This survey is hosted by an external company (Qualtrics), so the link above does not
lead to our
website. Please note that AWS will own the data gathered via this survey, and will
not share the
information/results collected with survey respondents. AWS handles your information
as described
in the AWS Privacy Notice
Configuring IAM roles for Amazon EC2
All requests to AWS services must be cryptographically signed using credentials issued by AWS. You can use IAM roles to conveniently grant secure access to AWS resources from your Amazon EC2 instances.
This topic provides information about how to use IAM roles with AWS SDK for Java applications running on Amazon EC2. For more information about IAM instances, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.
Default provider chain and Amazon EC2 instance profiles
If your application creates an AWS client using the create
method, the client searches
for credentials using the default credentials provider chain, in the following order:
-
In the Java system properties:
aws.accessKeyId
andaws.secretAccessKey
. -
In system environment variables:
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
. -
In the default credentials file (the location of this file varies by platform).
-
In the Amazon ECS environment variable:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
. -
In the instance profile credentials, which exist within the instance metadata associated with the IAM role for the EC2 instance.
The final step in the default provider chain is available only when running your application
on an
Amazon EC2 instance. However, it provides the greatest ease of use and best security
when working with Amazon EC2
instances. You can also pass an InstanceProfileCredentialsProvider
For example:
S3Client s3 = S3Client.builder() .credentialsProvider(InstanceProfileCredentialsProvider.builder().build()) .build();
When you use this approach, the SDK retrieves temporary AWS credentials that have
the same
permissions as those associated with the IAM role that is associated with the Amazon
EC2 instance in its
instance profile. Although these credentials are temporary and would eventually expire,
InstanceProfileCredentialsProvider
periodically refreshes them for you so that the
obtained credentials continue to allow access to AWS.
Walkthrough: Using IAM roles for Amazon EC2 instances
This walkthrough shows you how to retrieve an object from Amazon S3 using an IAM role to manage access.
Create an IAM role
Create an IAM role that grants read-only access to Amazon S3.
To create the IAM role
-
Open the IAM console
. -
In the navigation pane, choose Roles, then Create New Role.
-
On the Select Role Type page, under AWS Service Roles, choose Amazon EC2.
-
On the Attach Policy page, choose Amazon S3 Read Only Access from the policy list, then choose Next Step.
-
- Enter a name for the role, then select Next Step. Remember this name
-
because you’ll need it when you launch your Amazon EC2 instance.
-
On the Review page, choose Create Role.
Launch an EC2 instance and specify your IAM role
You can launch an Amazon EC2 instance with an IAM role using the Amazon EC2 console.
To launch an Amazon EC2 instance using the console, follow the directions in Getting Started with Amazon EC2 Linux Instances in the Amazon EC2 User Guide for Linux Instances.
When you reach the Review Instance Launch page, select Edit instance details. In IAM role, choose the IAM role that you created previously. Complete the procedure as directed.
You need to create or use an existing security group and key pair to connect to the instance.
With this IAM and Amazon EC2 setup, you can deploy your application to the EC2 instance and it will have read access to the Amazon S3 service.