java - 如何配置 spring 应用程序以在 aws 上使用 IAM 角色(在 AWS ECS 中运行)并在 dev env 上使用凭据？

Question

如何配置 spring boot 应用程序以使用 IAM 角色？下面这段代码够了吗？或者我完全错了？

@Bean
public AmazonS3 amazonS3Client() {

    return AmazonS3ClientBuilder.standard()
            .withCredentials(new AWSCredentialsProviderChain(InstanceProfileCredentialsProvider.getInstance(), new ProfileCredentialsProvider()))
            .build();
}

Answer 1

使用STS Assume Role 来实现这一点

    @Value("${my.aws.assumeRoleARN:}")
    private String assumeRoleARN;    

    @Bean
    @Primary
    public AWSCredentialsProvider awsCredentialsProvider() {
        log.info("Assuming role {}",assumeRoleARN);
        if (StringUtils.isNotEmpty(assumeRoleARN)) {
            AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                    .withClientConfiguration(clientConfiguration())
                    .withCredentials(awsCredentialsProvider)
                    .build();

            return new STSAssumeRoleSessionCredentialsProvider
                    .Builder(assumeRoleARN, "role")
                    .withStsClient(stsClient)
                    .build();
        }
        return awsCredentialsProvider;
    }

    @Bean
    @ConfigurationProperties(prefix = "aws.configuration")
    public ClientConfiguration clientConfiguration() {
        return new ClientConfiguration();
    }

    @Bean
    @Primary
    public AmazonS3 amazonS3() {
        return AmazonS3ClientBuilder.standard().
                withCredentials(awsCredentialsProvider()).
                withClientConfiguration(clientConfiguration()).
                build();
    }