1

I have a Java program which needs to access Amazon S3 to put some files there. Please note that this Java program is running in my desktop (not in EC2). What's the best secure way to access Amazon S3 using credentials? Following are the ways I am aware of.

  1. Using access token and secret

    a. In sdk properties file

    b. As environment variables

    c. In command line system properties

    d. Directly hard coding in program

Of course I'd prefer options b and c for security reasons.

  1. Is there a role based permissions possible here? My understanding is that it's not possible since my Java program is running in an external machine which AWS doesn't know.

  2. Any other method of access possible?

Thanks in advance.

Improve this question

2 Answers 2

Reset to default
4
  1. The best way is to use the default provider chain, which means that the [DefaultCredentialsProvider] (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html) class will decide from where to take the credentials based on a specific hierarchy:
1. Java System Properties - aws.accessKeyId and aws.secretAccessKey
2. Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
3. Web Identity Token credentials from system properties or environment variables
4. Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
5. Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable,
6. Instance profile credentials delivered through the Amazon EC2 metadata service

For local development the recommended way is to set up your credentials using the aws configure command and let the default provider chain take advantage of that.

Although environment variables may be a reasonable choice in some cases (and the default chain will be able to use them), please NEVER ever hardcode any credentials in your code!

  1. Yes it is. We can assume a role using the AWS CLI:
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

This will provide a temporary AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN which can be provided to the application. The application will communicate with AWS services using the permissions provided by the assumed role.

  1. Yes, there is another way if the goal is to access S3. We can use presigned urls.
Improve this answer
4
  • Thanks Ervin. Was wondering how AWS can recognise my application if I use role(option 2)? My Java application is an external one..so how can it get an ARN?
    – SRaj
    Commented Sep 19, 2021 at 17:17
  • @SRaj when you assume a role get a different AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN. This are tied to the role which is assumed, so AWS knows that a specific entity with that role wants to access a certain service. The ARN you get from the role which you want to assume, you get this by simply creating a new role which can be assumed afterwards.
    – Ervin Szilagyi
    Commented Sep 20, 2021 at 11:08
  • Ok got it, but to get that role, my application must first authenticate using an IAM credentials or a federated SSO. Is that so? Please let me know and I'll accept the answer once I'm clear
    – SRaj
    Commented Sep 20, 2021 at 13:49
  • 1
    @SRaj Yes, indeed, your application must authenticate itself somehow first.
    – Ervin Szilagyi
    Commented Sep 20, 2021 at 13:59
3

When working with the AWS SDK for Java V2, refer to the AWS SDK for Java Developer Guide V2. This developer guide contains a lot of information that answers questions like this.

To learn how credentials work, please refer to this topic:

Using credentials

All AWS Examples in Github assume credentials are loaded from the credential file. As explained in the docs, the credentials file is located in

  • Windows - C:\Users<yourUserName>.aws\credentials
  • Linux, macOS, Unix - ~/.aws/credentials

See this topic that will show you how to get up and running using the Amazon S3 API- including setting up your credentials.

Get started with the AWS SDK for Java 2.x

The Amazon S3 Java API has methods like pubObject that lets you place objects into an Amazon S3 bucket.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.