All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.amazonaws.auth.STSSessionCredentialsProvider Maven / Gradle / Ivy

Go to download

The AWS Java SDK for AWS STS module holds the client classes that are used for communicating with AWS Security Token Service

The newest version!
/*
 * Copyright 2011-2024 Amazon Technologies, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *    http://aws.amazon.com/apache2.0
 *
 * This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
 * OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and
 * limitations under the License.
 */

package com.amazonaws.auth;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.annotation.ThreadSafe;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;
import com.amazonaws.services.securitytoken.model.GetSessionTokenResult;
import java.io.Closeable;
import java.util.concurrent.Callable;

/**
 * AWSCredentialsProvider implementation that uses the AWS Security Token Service to create
 * temporary, short-lived sessions to use for authentication.
 *
 * This credentials provider uses a background thread to refresh credentials. This background thread can be shut down via the
 * {@link #close()} method when the credentials provider is no longer used.
 *
 * 

* Migrating to the AWS SDK for Java v2 *

* The v2 equivalent of this class is * StsGetSessionTokenCredentialsProvider * *

* See Migration Guide * for more information. */ @ThreadSafe public class STSSessionCredentialsProvider implements AWSSessionCredentialsProvider, Closeable { private static final String PROVIDER_NAME = "STSSessionCredentialsProvider"; /** * Default duration for started sessions */ public static final int DEFAULT_DURATION_SECONDS = 3600; /** * The client for starting STS sessions */ private final AWSSecurityTokenService securityTokenService; private final Callable refreshCallable = new Callable() { @Override public SessionCredentialsHolder call() throws Exception { return newSession(); } }; /** * Handles the refreshing of sessions. Ideally this should be final but #setSTSClientEndpoint * forces us to create a new one. */ private volatile RefreshableTask refreshableTask; /** * Constructs a new STSSessionCredentialsProvider, which will use the specified long lived AWS * credentials to make a request to the AWS Security Token Service (STS) to request short lived * session credentials, which will then be returned by this class's {@link #getCredentials()} * method. * * @param longLivedCredentials The main AWS credentials for a user's account. */ public STSSessionCredentialsProvider(AWSCredentials longLivedCredentials) { this(longLivedCredentials, new ClientConfiguration()); } /** * Constructs a new STSSessionCredentialsProvider, which will use the specified long lived AWS * credentials to make a request to the AWS Security Token Service (STS) to request short lived * session credentials, which will then be returned by this class's {@link #getCredentials()} * method. * * @param longLivedCredentials The main AWS credentials for a user's account. * @param clientConfiguration Client configuration connection parameters. */ public STSSessionCredentialsProvider(AWSCredentials longLivedCredentials, ClientConfiguration clientConfiguration) { this(new AWSSecurityTokenServiceClient(longLivedCredentials, clientConfiguration)); } /** * Constructs a new STSSessionCredentialsProvider, which will use the specified credentials * provider (which vends long lived AWS credentials) to make a request to the AWS Security Token * Service (STS) to request short lived session credentials, which will then be returned by this * class's {@link #getCredentials()} method. * * @param longLivedCredentialsProvider Credentials provider for the main AWS credentials for a * user's account. */ public STSSessionCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProvider) { this(new AWSSecurityTokenServiceClient(longLivedCredentialsProvider)); } /** * Constructs a new STSSessionCredentialsProvider, which will use the specified credentials * provider (which vends long lived AWS credentials) to make a request to the AWS Security Token * Service (STS) to request short lived session credentials, which will then be returned by this * class's {@link #getCredentials()} method. * * @param longLivedCredentialsProvider Credentials provider for the main AWS credentials for a * user's account. * @param clientConfiguration Client configuration connection parameters. */ public STSSessionCredentialsProvider(AWSCredentialsProvider longLivedCredentialsProvider, ClientConfiguration clientConfiguration) { this(new AWSSecurityTokenServiceClient(longLivedCredentialsProvider, clientConfiguration)); } private RefreshableTask createRefreshableTask() { return new RefreshableTask.Builder() .withRefreshCallable(refreshCallable) .withBlockingRefreshPredicate(new ShouldDoBlockingSessionRefresh()) .withAsyncRefreshPredicate(new ShouldDoAsyncSessionRefresh()).build(); } /** * Constructs a new STSSessionCredentialsProvider with the alredy configured STS client. * * @param sts Preconfigured STS client to use for this provider */ public STSSessionCredentialsProvider(AWSSecurityTokenService sts) { this.securityTokenService = sts; this.refreshableTask = createRefreshableTask(); } /** * Sets the AWS Security Token Service (STS) endpoint where session credentials are retrieved * from.

The default AWS Security Token Service (STS) endpoint ("sts.amazonaws.com") * works for all accounts that are not for China (Beijing) region or GovCloud. You only need to * change the endpoint to "sts.cn-north-1.amazonaws.com.cn" when you are requesting session * credentials for services in China(Beijing) region or "sts.us-gov-west-1.amazonaws.com" for * GovCloud.

Setting this invalidates existing session credentials. Calling this method * will temporarily cause getCredentials() to block until a new session is fetched from the STS * service. * * @deprecated This method may be removed in a future major version. Create multiple providers * if you need to work with multiple STS endpoints. */ @Deprecated public synchronized void setSTSClientEndpoint(String endpoint) { securityTokenService.setEndpoint(endpoint); // Create a new task rather then trying to synchronize this in the refreshable task this.refreshableTask = createRefreshableTask(); } /** * Method will return valid session credentials or throw an AmazonClientException due to STS * service time-out or thread interruption. The first call will block until valid session * credentials are fetched. Subsequent calls will re-use fetched credentials that are still * valid. Expiring credentials are automatically refreshed via a background thread. Multiple * threads may call this method concurrently without causing simultaneous network calls to the * STS service. Care has been taken to resist Throttling exceptions. */ @Override public AWSSessionCredentials getCredentials() { return refreshableTask.getValue().getSessionCredentials(); } /** * Force refresh of session credentials. A decision to use this method should be made * judiciously since this class automatically manages refreshing expiring credentials limiting * its usefulness. Calling this method may temporarily cause getCredentials() to block until a * new session is fetched from the STS service. */ @Override public void refresh() { refreshableTask.forceGetValue(); } private SessionCredentialsHolder newSession() { GetSessionTokenResult sessionTokenResult = securityTokenService.getSessionToken( new GetSessionTokenRequest().withDurationSeconds(DEFAULT_DURATION_SECONDS)); return new SessionCredentialsHolder(sessionTokenResult.getCredentials(), PROVIDER_NAME); } /** * Shut down this credentials provider, shutting down the thread that performs asynchronous credential refreshing. This * should not be invoked if the credentials provider is still in use by an AWS client. */ @Override public void close() { refreshableTask.close(); } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy