在使用AWS Service的过程中,经常需要给AWS Service发http请求进行交互,比如对DynamoDB的CURD操作,S3上传或者下载文件等等。这些请求发送出去之后AWS会对请求中包含的Credentials进行验证,只有通过验证之后才会进行相应的操作,这就保证了安全性。

AWS Credentials

AWS Credentials包含以下四部分内容:

{"AccessKeyId" : "*************","SecretAccessKey" : "*************************************","Token" : "***************************************************************************","Expiration" : "2021-11-12T10:51:36Z"
}

如何为AWS Java SDK提供AWS credentials

  • 使用默认的CredentialsProviderChain:DefaultAWSCredentialsProviderChain

    • 该方式时AWS官方推荐的方式

  • 使用某个具体的CredentialsProvider或者CredentialsProviderChain,也可以根据自己的需求创建自己的CredentialsProvider或者CredentialsProviderChain

  • 直接提供Credentials,Credentials可以是root账户的credentials,IAM用户的credentials,也可以是通过AWS STS服务获取到的temporary credentials

DefaultAWSCredentialsProviderChain

CredentialsProviderChain提供了四个CredentialsProvider:

  • EnvironmentVariableCredentialsProvider

    • 从操作系统环境变量中读取Credentials信息

      • AWS_ACCESS_KEY_ID
      • AWS_SECRET_ACCESS_KEY
      • AWS_SESSION_TOKEN
    • 不包含更新逻辑,,若token过期,需要自己主动对环境变量中的值进行更新
  • SystemPropertiesCredentialsProvider
    • 从java系统属性中读取Credentials信息

      • aws.accessKeyId
      • aws.secretKey
      • aws.sessionToken
    • 不包含更新逻辑,,若token过期,需要自己主动对java系统属性中的值进行更新
  • ProfileCredentialsProvider
    • 从~/.aws/credentials文件中读取Credentials信息
    • [default]
      aws_access_key_id = ***
      aws_secret_access_key = *************
      aws_session_token = ********************************
  • EC2ContainerCredentialsProviderWrapper
    • 如果设置了AWS_CONTAINER_CREDENTIALS_RELATIVE_URI或者AWS_CONTAINER_CREDENTIALS_FULL_URI环境变量,就使用Amazon EC2 container service分发给EC2的credentials

      • container credentials可以通过在EC2上向以下地址发送请求读取到:
      • http://169.254.170.2/${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}
      • ${AWS_CONTAINER_CREDENTIALS_FULL_URI}
    • 否则就使用Amazon EC2 metadata service分发的Instance profile credentials
      • Instance profile credentials可以通过在EC2上向以下地址发送请求读取到:
      • http://169.254.169.254/latest/meta-data/iam/security-credentials/${ec2_role}
package com.amazonaws.auth;import com.amazonaws.auth.profile.ProfileCredentialsProvider;/*** AWS credentials provider chain that looks for credentials in this order:* <ul>*   <li>Environment Variables -*      <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code>*      (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET),*      or <code>AWS_ACCESS_KEY</code> and <code>AWS_SECRET_KEY</code> (only recognized by Java SDK)*   </li>*   <li>Java System Properties - aws.accessKeyId and aws.secretKey</li>*   <li>Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI</li>*   <li>Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set*   and security manager has permission to access the variable,</li>*   <li>Instance profile credentials delivered through the Amazon EC2 metadata service</li>* </ul>** @see EnvironmentVariableCredentialsProvider* @see SystemPropertiesCredentialsProvider* @see ProfileCredentialsProvider* @see EC2ContainerCredentialsProviderWrapper*/
public class DefaultAWSCredentialsProviderChain extends AWSCredentialsProviderChain {private static final DefaultAWSCredentialsProviderChain INSTANCE= new DefaultAWSCredentialsProviderChain();public DefaultAWSCredentialsProviderChain() {super(new EnvironmentVariableCredentialsProvider(),new SystemPropertiesCredentialsProvider(),new ProfileCredentialsProvider(),new EC2ContainerCredentialsProviderWrapper());}public static DefaultAWSCredentialsProviderChain getInstance() {return INSTANCE;}
}

AWSCredentialsProviderChain

package com.amazonaws.auth;import java.util.LinkedList;
import java.util.List;import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;import com.amazonaws.SdkClientException;/*** {@link AWSCredentialsProvider} implementation that chains together multiple* credentials providers. When a caller first requests credentials from this provider,* it calls all the providers in the chain, in the original order specified,* until one can provide credentials, and then returns those credentials. If all* of the credential providers in the chain have been called, and none of them* can provide credentials, then this class will throw an exception indicated* that no credentials are available.* <p>* By default, this class will remember the first credentials provider in the chain* that was able to provide credentials, and will continue to use that provider when* credentials are requested in the future, instead of traversing the chain each time.* This behavior can be controlled through the {@link #setReuseLastProvider(boolean)} method.*/
public class AWSCredentialsProviderChain implements AWSCredentialsProvider {private static final Log log = LogFactory.getLog(AWSCredentialsProviderChain.class);private final List<AWSCredentialsProvider> credentialsProviders =new LinkedList<AWSCredentialsProvider>();private boolean reuseLastProvider = true;private AWSCredentialsProvider lastUsedProvider;/*** Constructs a new AWSCredentialsProviderChain with the specified credential providers. When* credentials are requested from this provider, it will call each of these credential providers* in the same order specified here until one of them returns AWS security credentials.** @param credentialsProviders*            The chain of credentials providers.*/public AWSCredentialsProviderChain(List<? extends AWSCredentialsProvider> credentialsProviders) {if (credentialsProviders == null || credentialsProviders.size() == 0) {throw new IllegalArgumentException("No credential providers specified");}this.credentialsProviders.addAll(credentialsProviders);}/*** Constructs a new AWSCredentialsProviderChain with the specified credential providers. When* credentials are requested from this provider, it will call each of these credential providers* in the same order specified here until one of them returns AWS security credentials.** @param credentialsProviders*            The chain of credentials providers.*/public AWSCredentialsProviderChain(AWSCredentialsProvider... credentialsProviders) {if (credentialsProviders == null || credentialsProviders.length == 0) {throw new IllegalArgumentException("No credential providers specified");}for (AWSCredentialsProvider provider : credentialsProviders) {this.credentialsProviders.add(provider);}}/*** Returns true if this chain will reuse the last successful credentials* provider for future credentials requests, otherwise, false if it will* search through the chain each time.** @return True if this chain will reuse the last successful credentials*         provider for future credentials requests.*/public boolean getReuseLastProvider() {return reuseLastProvider;}/*** Enables or disables caching of the last successful credentials provider* in this chain. Reusing the last successful credentials provider will* typically return credentials faster than searching through the chain.** @param b*            Whether to enable or disable reusing the last successful*            credentials provider for future credentials requests instead*            of searching through the whole chain.*/public void setReuseLastProvider(boolean b) {this.reuseLastProvider = b;}@Overridepublic AWSCredentials getCredentials() {if (reuseLastProvider && lastUsedProvider != null) {return lastUsedProvider.getCredentials();}List<String> exceptionMessages = null;for (AWSCredentialsProvider provider : credentialsProviders) {try {AWSCredentials credentials = provider.getCredentials();if (credentials.getAWSAccessKeyId() != null &&credentials.getAWSSecretKey() != null) {log.debug("Loading credentials from " + provider.toString());lastUsedProvider = provider;return credentials;}} catch (Exception e) {// Ignore any exceptions and move onto the next providerString message = provider + ": " + e.getMessage();log.debug("Unable to load credentials from " + message);if (exceptionMessages == null) {exceptionMessages = new LinkedList<String>();}exceptionMessages.add(message);}}throw new SdkClientException("Unable to load AWS credentials from any provider in the chain: "+ exceptionMessages);}@Overridepublic void refresh() {for (AWSCredentialsProvider provider : credentialsProviders) {provider.refresh();}}
}

EnvironmentVariableCredentialsProvider

package com.amazonaws.auth;import static com.amazonaws.SDKGlobalConfiguration.ACCESS_KEY_ENV_VAR;
import static com.amazonaws.SDKGlobalConfiguration.ALTERNATE_ACCESS_KEY_ENV_VAR;
import static com.amazonaws.SDKGlobalConfiguration.ALTERNATE_SECRET_KEY_ENV_VAR;
import static com.amazonaws.SDKGlobalConfiguration.AWS_SESSION_TOKEN_ENV_VAR;
import static com.amazonaws.SDKGlobalConfiguration.SECRET_KEY_ENV_VAR;import com.amazonaws.SdkClientException;
import com.amazonaws.util.StringUtils;/*** {@link AWSCredentialsProvider} implementation that provides credentials by looking at the: <code>AWS_ACCESS_KEY_ID</code> (or* <code>AWS_ACCESS_KEY</code>) and <code>AWS_SECRET_KEY</code> (or <code>AWS_SECRET_ACCESS_KEY</code>) environment variables. If* the <code>AWS_SESSION_TOKEN</code> environment variable is also set then temporary credentials will be used.*/
public class EnvironmentVariableCredentialsProvider implements AWSCredentialsProvider {@Overridepublic AWSCredentials getCredentials() {String accessKey = System.getenv(ACCESS_KEY_ENV_VAR);if (accessKey == null) {accessKey = System.getenv(ALTERNATE_ACCESS_KEY_ENV_VAR);}String secretKey = System.getenv(SECRET_KEY_ENV_VAR);if (secretKey == null) {secretKey = System.getenv(ALTERNATE_SECRET_KEY_ENV_VAR);}accessKey = StringUtils.trim(accessKey);secretKey = StringUtils.trim(secretKey);String sessionToken = StringUtils.trim(System.getenv(AWS_SESSION_TOKEN_ENV_VAR));if (StringUtils.isNullOrEmpty(accessKey) || StringUtils.isNullOrEmpty(secretKey)) {throw new SdkClientException("Unable to load AWS credentials from environment variables " +"(" + ACCESS_KEY_ENV_VAR + " (or " + ALTERNATE_ACCESS_KEY_ENV_VAR + ") and " +SECRET_KEY_ENV_VAR + " (or " + ALTERNATE_SECRET_KEY_ENV_VAR + "))");}return sessionToken == null ?new BasicAWSCredentials(accessKey, secretKey):new BasicSessionCredentials(accessKey, secretKey, sessionToken);}@Overridepublic void refresh() {}@Overridepublic String toString() {return getClass().getSimpleName();}
}

SystemPropertiesCredentialsProvider

package com.amazonaws.auth;import static com.amazonaws.SDKGlobalConfiguration.ACCESS_KEY_SYSTEM_PROPERTY;
import static com.amazonaws.SDKGlobalConfiguration.SECRET_KEY_SYSTEM_PROPERTY;
import static com.amazonaws.SDKGlobalConfiguration.SESSION_TOKEN_SYSTEM_PROPERTY;import com.amazonaws.SdkClientException;
import com.amazonaws.util.StringUtils;/*** {@link AWSCredentialsProvider} implementation that provides credentials by* looking at the <code>aws.accessKeyId</code> and <code>aws.secretKey</code>* Java system properties.*/
public class SystemPropertiesCredentialsProvider implements AWSCredentialsProvider {@Overridepublic AWSCredentials getCredentials() {String accessKey = StringUtils.trim(System.getProperty(ACCESS_KEY_SYSTEM_PROPERTY));String secretKey = StringUtils.trim(System.getProperty(SECRET_KEY_SYSTEM_PROPERTY));String sessionToken = StringUtils.trim(System.getProperty(SESSION_TOKEN_SYSTEM_PROPERTY));if (StringUtils.isNullOrEmpty(accessKey) || StringUtils.isNullOrEmpty(secretKey)) {throw new SdkClientException("Unable to load AWS credentials from Java system "+ "properties (" + ACCESS_KEY_SYSTEM_PROPERTY + " and "+ SECRET_KEY_SYSTEM_PROPERTY + ")");}if (StringUtils.isNullOrEmpty(sessionToken)) {return new BasicAWSCredentials(accessKey, secretKey);} else {return new BasicSessionCredentials(accessKey, secretKey, sessionToken);}}@Overridepublic void refresh() {}@Overridepublic String toString() {return getClass().getSimpleName();}
}

ProfileCredentialsProvider

package com.amazonaws.auth.profile;import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.profile.internal.AwsProfileNameLoader;import java.util.concurrent.Semaphore;/*** Credentials provider based on AWS configuration profiles. This provider vends AWSCredentials from* the profile configuration file for the default profile, or for a specific, named profile. <p> AWS* credential profiles allow you to share multiple sets of AWS security credentials between* different tools like the AWS SDK for Java and the AWS CLI. <p> See* http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html** @see ProfilesConfigFile*/
public class ProfileCredentialsProvider implements AWSCredentialsProvider {/*** Default refresh interval*/private static final long DEFAULT_REFRESH_INTERVAL_NANOS = 5 * 60 * 1000 * 1000 * 1000L;/*** Default force reload interval*/private static final long DEFAULT_FORCE_RELOAD_INTERVAL_NANOS =2 * DEFAULT_REFRESH_INTERVAL_NANOS;/*** The credential profiles file from which this provider loads the security credentials. Lazily* loaded by the double-check idiom.*/private volatile ProfilesConfigFile profilesConfigFile;/*** When the profiles file was last refreshed.*/private volatile long lastRefreshed;/*** The name of the credential profile*/private final String profileName;/*** Used to have only one thread block on refresh, for applications making at least one call* every REFRESH_INTERVAL_NANOS.*/private final Semaphore refreshSemaphore = new Semaphore(1);/*** Refresh interval. Defaults to {@link #DEFAULT_REFRESH_INTERVAL_NANOS}*/private long refreshIntervalNanos = DEFAULT_REFRESH_INTERVAL_NANOS;/*** Force reload interval. Defaults to {@link #DEFAULT_FORCE_RELOAD_INTERVAL_NANOS}*/private long refreshForceIntervalNanos = DEFAULT_FORCE_RELOAD_INTERVAL_NANOS;/*** Creates a new profile credentials provider that returns the AWS security credentials* configured for the default profile. Loading the credential file is deferred until the* getCredentials() method is called.*/public ProfileCredentialsProvider() {this(null);}/*** Creates a new profile credentials provider that returns the AWS security credentials* configured for the named profile. Loading the credential file is deferred until the* getCredentials() method is called.** @param profileName The name of a local configuration profile.*/public ProfileCredentialsProvider(String profileName) {this((ProfilesConfigFile) null, profileName);}/*** Creates a new profile credentials provider that returns the AWS security credentials for the* specified profiles configuration file and profile name.** @param profilesConfigFilePath The file path where the profile configuration file is located.* @param profileName            The name of a configuration profile in the specified*                               configuration file.*/public ProfileCredentialsProvider(String profilesConfigFilePath, String profileName) {this(new ProfilesConfigFile(profilesConfigFilePath), profileName);}/*** Creates a new profile credentials provider that returns the AWS security credentials for the* specified profiles configuration file and profile name.** @param profilesConfigFile The profile configuration file containing the profiles used by this*                           credentials provider or null to defer load to first use.* @param profileName        The name of a configuration profile in the specified configuration*                           file.*/public ProfileCredentialsProvider(ProfilesConfigFile profilesConfigFile, String profileName) {this.profilesConfigFile = profilesConfigFile;if (this.profilesConfigFile != null) {this.lastRefreshed = System.nanoTime();}if (profileName == null) {this.profileName = AwsProfileNameLoader.INSTANCE.loadProfileName();} else {this.profileName = profileName;}}@Overridepublic AWSCredentials getCredentials() {if (profilesConfigFile == null) {synchronized (this) {if (profilesConfigFile == null) {profilesConfigFile = new ProfilesConfigFile();lastRefreshed = System.nanoTime();}}}// Periodically check if the file on disk has been modified// since we last read it.//// For active applications, only have one thread block.// For applications that use this method in bursts, ensure the// credentials are never too stale.long now = System.nanoTime();long age = now - lastRefreshed;if (age > refreshForceIntervalNanos) {refresh();} else if (age > refreshIntervalNanos) {if (refreshSemaphore.tryAcquire()) {try {refresh();} finally {refreshSemaphore.release();}}}return profilesConfigFile.getCredentials(profileName);}@Overridepublic void refresh() {if (profilesConfigFile != null) {profilesConfigFile.refresh();lastRefreshed = System.nanoTime();}}/*** Gets the refresh interval in nanoseconds.** @return nanoseconds*/public long getRefreshIntervalNanos() {return refreshIntervalNanos;}/*** Sets the refresh interval in nanoseconds.** @param refreshIntervalNanos nanoseconds*/public void setRefreshIntervalNanos(long refreshIntervalNanos) {this.refreshIntervalNanos = refreshIntervalNanos;}/*** Gets the forced refresh interval in nanoseconds.** @return nanoseconds*/public long getRefreshForceIntervalNanos() {return refreshForceIntervalNanos;}/*** Sets the forced refresh interval in nanoseconds.*/public void setRefreshForceIntervalNanos(long refreshForceIntervalNanos) {this.refreshForceIntervalNanos = refreshForceIntervalNanos;}
}

EC2ContainerCredentialsProviderWrapper

package com.amazonaws.auth;import static com.amazonaws.auth.ContainerCredentialsProvider.CONTAINER_CREDENTIALS_FULL_URI;
import static com.amazonaws.auth.ContainerCredentialsProvider.ECS_CONTAINER_CREDENTIALS_PATH;import com.amazonaws.auth.ContainerCredentialsProvider.ECSCredentialsEndpointProvider;
import com.amazonaws.auth.ContainerCredentialsProvider.FullUriCredentialsEndpointProvider;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;/*** <p>* {@link AWSCredentialsProvider} that loads credentials from an Amazon Container (e.g. EC2)** Credentials are solved in the following order:* <ol>*     <li>*         If environment variable "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" is*         set (typically on EC2) it is used to hit the metadata service at the following endpoint: http://169.254.170.2*     </li>*     <li>*         If environment variable "AWS_CONTAINER_CREDENTIALS_FULL_URI" is*         set it is used to hit a metadata service at that URI. <br/> Optionally an authorization token can be included*         in the "Authorization" header of the request by setting the "AWS_CONTAINER_AUTHORIZATION_TOKEN" environment variable.*     </li>*     <li>*         If neither of the above environment variables are specified credentials are attempted to be loaded from Amazon EC2*         Instance Metadata Service using the {@link InstanceProfileCredentialsProvider}.*     </li>* </ol>*/
public class EC2ContainerCredentialsProviderWrapper implements AWSCredentialsProvider {private static final Log LOG = LogFactory.getLog(EC2ContainerCredentialsProviderWrapper.class);private final AWSCredentialsProvider provider;public EC2ContainerCredentialsProviderWrapper() {provider = initializeProvider();}private AWSCredentialsProvider initializeProvider() {try {if (System.getenv(ECS_CONTAINER_CREDENTIALS_PATH) != null) {return new ContainerCredentialsProvider(new ECSCredentialsEndpointProvider());}if (System.getenv(CONTAINER_CREDENTIALS_FULL_URI) != null) {return new ContainerCredentialsProvider(new FullUriCredentialsEndpointProvider());}return InstanceProfileCredentialsProvider.getInstance();} catch (SecurityException securityException) {LOG.debug("Security manager did not allow access to the ECS credentials environment variable " + ECS_CONTAINER_CREDENTIALS_PATH +"or the container full URI environment variable " + CONTAINER_CREDENTIALS_FULL_URI+ ". Please provide access to this environment variable if you want to load credentials from ECS Container.");return InstanceProfileCredentialsProvider.getInstance();}}@Overridepublic AWSCredentials getCredentials() {return provider.getCredentials();}@Overridepublic void refresh() {provider.refresh();}
}

ContainerCredentialsProvider

package com.amazonaws.auth;import com.amazonaws.SdkClientException;
import com.amazonaws.internal.CredentialsEndpointProvider;
import com.amazonaws.retry.internal.CredentialsEndpointRetryPolicy;
import com.amazonaws.util.CollectionUtils;import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;/*** <p>* {@link AWSCredentialsProvider} implementation that loads credentials* from an Amazon Elastic Container.* </p>* <p>* By default, the URI path is retrieved from the environment variable* "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" in the container's environment.* </p>*/
public class ContainerCredentialsProvider implements AWSCredentialsProvider {/** Environment variable to get the Amazon ECS credentials resource path. */static final String ECS_CONTAINER_CREDENTIALS_PATH = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";/** Environment variable to get the full URI for a credentials path */static final String CONTAINER_CREDENTIALS_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";static final String CONTAINER_AUTHORIZATION_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";private static final Set<String> ALLOWED_FULL_URI_HOSTS = allowedHosts();/** Default endpoint to retreive the Amazon ECS Credentials. */private static final String ECS_CREDENTIALS_ENDPOINT = "http://169.254.170.2";private final EC2CredentialsFetcher credentialsFetcher;/*** @deprecated use {@link #ContainerCredentialsProvider(CredentialsEndpointProvider)}*/@Deprecatedpublic ContainerCredentialsProvider() {this(new ECSCredentialsEndpointProvider());}public ContainerCredentialsProvider(CredentialsEndpointProvider credentialsEndpointProvider) {this.credentialsFetcher = new EC2CredentialsFetcher(credentialsEndpointProvider);}@Overridepublic AWSCredentials getCredentials() {return credentialsFetcher.getCredentials();}@Overridepublic void refresh() {credentialsFetcher.refresh();}public Date getCredentialsExpiration() {return credentialsFetcher.getCredentialsExpiration();}static class ECSCredentialsEndpointProvider extends CredentialsEndpointProvider {@Overridepublic URI getCredentialsEndpoint() throws URISyntaxException {String path = System.getenv(ECS_CONTAINER_CREDENTIALS_PATH);if (path == null) {throw new SdkClientException("The environment variable " + ECS_CONTAINER_CREDENTIALS_PATH + " is empty");}return new URI(ECS_CREDENTIALS_ENDPOINT + path);}@Overridepublic CredentialsEndpointRetryPolicy getRetryPolicy() {return ContainerCredentialsRetryPolicy.getInstance();}}/*** A URI resolver that uses environment variable {@value CONTAINER_CREDENTIALS_FULL_URI} as the URI* for the metadata service.* Optionally an authorization token can be provided using the {@value CONTAINER_AUTHORIZATION_TOKEN} environment variable.*/static class FullUriCredentialsEndpointProvider extends CredentialsEndpointProvider {@Overridepublic URI getCredentialsEndpoint() throws URISyntaxException {String fullUri = System.getenv(CONTAINER_CREDENTIALS_FULL_URI);if (fullUri == null || fullUri.length() == 0) {throw new SdkClientException("The environment variable " + CONTAINER_CREDENTIALS_FULL_URI + " is empty");}URI uri = new URI(fullUri);if (!ALLOWED_FULL_URI_HOSTS.contains(uri.getHost())) {throw new SdkClientException("The full URI (" + uri + ") contained withing environment variable " +CONTAINER_CREDENTIALS_FULL_URI + " has an invalid host. Host can only be one of [" +CollectionUtils.join(ALLOWED_FULL_URI_HOSTS, ", ") + "]");}return uri;}@Overridepublic Map<String, String> getHeaders() {if (System.getenv(CONTAINER_AUTHORIZATION_TOKEN) != null) {return Collections.singletonMap("Authorization", System.getenv(CONTAINER_AUTHORIZATION_TOKEN));}return new HashMap<String, String>();}}private static Set<String> allowedHosts() {HashSet<String> hosts = new HashSet<String>();hosts.add("127.0.0.1");hosts.add("localhost");return Collections.unmodifiableSet(hosts);}}

InstanceProfileCredentialsProvider

package com.amazonaws.auth;import com.amazonaws.AmazonClientException;
import com.amazonaws.SDKGlobalConfiguration;
import com.amazonaws.SdkClientException;
import com.amazonaws.internal.CredentialsEndpointProvider;
import com.amazonaws.internal.EC2CredentialsUtils;
import com.amazonaws.util.EC2MetadataUtils;
import java.io.Closeable;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;/*** Credentials provider implementation that loads credentials from the Amazon EC2 Instance Metadata Service.** <p>When using {@link InstanceProfileCredentialsProvider} with asynchronous refreshing it is* <b>strongly</b> recommended to explicitly call {@link #close()} to release the async thread.</p>*/
public class InstanceProfileCredentialsProvider implements AWSCredentialsProvider, Closeable {private static final Log LOG = LogFactory.getLog(InstanceProfileCredentialsProvider.class);/*** The wait time, after which the background thread initiates a refresh to* load latest credentials if needed.*/private static final int ASYNC_REFRESH_INTERVAL_TIME_MINUTES = 1;/*** The default InstanceProfileCredentialsProvider that can be shared by* multiple CredentialsProvider instance threads to shrink the amount of* requests to EC2 metadata service.*/private static final InstanceProfileCredentialsProvider INSTANCE = new InstanceProfileCredentialsProvider();private final EC2CredentialsFetcher credentialsFetcher;/*** The executor service used for refreshing the credentials in the* background.*/private volatile ScheduledExecutorService executor;private volatile boolean shouldRefresh = false;/*** @deprecated for the singleton method {@link #getInstance()}.*/@Deprecatedpublic InstanceProfileCredentialsProvider() {this(false);}/*** Spins up a new thread to refresh the credentials asynchronously if* refreshCredentialsAsync is set to true, otherwise the credentials will be* refreshed from the instance metadata service synchronously,** <p>It is <b>strongly</b> recommended to reuse instances of this credentials provider, especially* when async refreshing is used since a background thread is created.</p>** @param refreshCredentialsAsync*            true if credentials needs to be refreshed asynchronously else*            false.*/public InstanceProfileCredentialsProvider(boolean refreshCredentialsAsync) {this(refreshCredentialsAsync, true);}/*** Spins up a new thread to refresh the credentials asynchronously.** <p>It is <b>strongly</b> recommended to reuse instances of this credentials provider, especially* when async refreshing is used since a background thread is created.</p>** @param eagerlyRefreshCredentialsAsync*            when set to false will not attempt to refresh credentials asynchronously*            until after a call has been made to {@link #getCredentials()} - ensures that*            {@link EC2CredentialsFetcher#getCredentials()} is only hit when this CredentialProvider is actually required*/public static InstanceProfileCredentialsProvider createAsyncRefreshingProvider(final boolean eagerlyRefreshCredentialsAsync) {return new InstanceProfileCredentialsProvider(true, eagerlyRefreshCredentialsAsync);}private InstanceProfileCredentialsProvider(boolean refreshCredentialsAsync, final boolean eagerlyRefreshCredentialsAsync) {credentialsFetcher = new EC2CredentialsFetcher(new InstanceMetadataCredentialsEndpointProvider());if (!SDKGlobalConfiguration.isEc2MetadataDisabled()) {if (refreshCredentialsAsync) {executor = Executors.newScheduledThreadPool(1);executor.scheduleWithFixedDelay(new Runnable() {@Overridepublic void run() {try {if (shouldRefresh) credentialsFetcher.getCredentials();} catch (AmazonClientException ace) {handleError(ace);} catch (RuntimeException re) {handleError(re);}}}, 0, ASYNC_REFRESH_INTERVAL_TIME_MINUTES, TimeUnit.MINUTES);}}}/*** Returns a singleton {@link InstanceProfileCredentialsProvider} that does not refresh credentials asynchronously.** <p>* See {@link #InstanceProfileCredentialsProvider(boolean)} or {@link #createAsyncRefreshingProvider(boolean)} for* asynchronous credentials refreshing.* </p>*/public static InstanceProfileCredentialsProvider getInstance() {return INSTANCE;}private void handleError(Throwable t) {refresh();LOG.error(t.getMessage(), t);}@Overrideprotected void finalize() throws Throwable {if (executor != null) {executor.shutdownNow();}}/*** {@inheritDoc}** @throws AmazonClientException if {@link SDKGlobalConfiguration#isEc2MetadataDisabled()} is true*/@Overridepublic AWSCredentials getCredentials() {if (SDKGlobalConfiguration.isEc2MetadataDisabled()) {throw new AmazonClientException("AWS_EC2_METADATA_DISABLED is set to true, not loading credentials from EC2 Instance "+ "Metadata service");}AWSCredentials creds = credentialsFetcher.getCredentials();shouldRefresh = true;return creds;}@Overridepublic void refresh() {if (credentialsFetcher != null) {credentialsFetcher.refresh();}}@Overridepublic void close() throws IOException {if (executor != null) {executor.shutdownNow();executor = null;}}private static class InstanceMetadataCredentialsEndpointProvider extends CredentialsEndpointProvider {@Overridepublic URI getCredentialsEndpoint() throws URISyntaxException, IOException {String host = EC2MetadataUtils.getHostAddressForEC2MetadataService();String securityCredentialsList = EC2CredentialsUtils.getInstance().readResource(new URI(host + EC2MetadataUtils.SECURITY_CREDENTIALS_RESOURCE));String[] securityCredentials = securityCredentialsList.trim().split("\n");if (securityCredentials.length == 0) {throw new SdkClientException("Unable to load credentials path");}return new URI(host + EC2MetadataUtils.SECURITY_CREDENTIALS_RESOURCE + securityCredentials[0]);}}
}

AWS Credentials相关推荐

  1. docker使用mongo_如何使用Docker在AWS上部署Mongo:初学者的权威指南

    docker使用mongo 为什么需要这个? (Why you need this?) 因为JS + Python + Mongo =完整的数据开发 (Because JS + Python + Mo ...

  2. aws lambda使用_如何使用AWS Lambda和S3构建无服务器URL缩短器

    aws lambda使用 by Daniel Ireson 丹尼尔·埃里森(Daniel Ireson) 如何使用AWS Lambda和S3构建无服务器URL缩短器 (How to build a S ...

  3. php上传照片到s3云服务器,PHP上传文件到AWS S3生成下载文件URL

    * 加载s3客户端 * @return string*/ functionAWS_S3Client(){$ACCESS_KEY_ID = '你的s3 ID';$SECRET_ACCESS_KEY = ...

  4. aws lambda_通过Spring将AWS SQS用作JMS提供程序

    aws lambda 最近AWS公布了新的客户端库,它实现了JMS 1.1规范,并使用他们的简单队列服务(SQS)作为JMS提供者(见杰夫·巴尔的帖子 在这里). 在我的文章中,我将向您展示如何设置M ...

  5. AWS服务器自动化迁移工具指南

    当大家希望将本地的VMware或Hyper-V的基础架构迁移上云,可以参考本地资源的上云的向导,当然也可以使用AWS SMS的服务,进行本地服务器的自动迁移服务,第一自动实时的将服务器增量复制到AWS ...

  6. aws搭建java项目_AWS下S3之java开发

    记住一定要在本地生成证书确保S3权限(~/.aws/credentials)(C:\Users\USERNAME.aws\credentials)格式如下: image.png 另外在开发前,一定要在 ...

  7. aws cloud map_销毁AWS资源:Cloud-Nuke还是AWS-Nuke?

    aws cloud map 因此,您在开发帐户上工作,并且Terraform陷入了一个循环,难道不让您轻易销毁剩余资源吗? 进入nuke CLI的世界! 在撰写本文时,我使用的是v0.1.16版本 用 ...

  8. aws lambda使用_使用AWS Lambdas扩展技术堆栈

    aws lambda使用 面对现实吧. 调试性能问题很困难,但是更难解决. 假设您发现了有害的代码,这些代码正在拖慢您的应用的运行速度. 最终会有一段时间,您发现此代码减速是同步的或线性执行的. 解决 ...

  9. aws sqs_在Spring中将AWS SQS用作JMS提供程序

    aws sqs 最近AWS公布了新的客户端库,它实现了JMS 1.1规范 ,并使用他们的简单队列服务 (SQS)作为JMS提供者 (见杰夫·巴尔的帖子在这里 ). 在我的文章中,我将向您展示如何设置M ...

  10. 销毁AWS资源:Cloud-Nuke还是AWS-Nuke?

    因此,您在开发帐户上工作,并且Terraform陷入了一个循环,难道不让您轻易销毁剩余资源吗? 进入nuke CLI的世界! 在撰写本文时,我使用的是v0.1.16版 用Go语言编写的< Gru ...

最新文章

  1. parsing:NLP之chart parser句法分析器
  2. bulma.css_如何建立一个? 具有Bulma CSS的特斯拉响应页面
  3. Flink从入门到精通100篇(二)-在Linux中完整安装flink并做Flink文件的配置
  4. SSDT表的遍历(源码)
  5. html课做一个网页,菜鸟自学建站 HTML 第三课 制作我的第一个网页_html/css_WEB-ITnose...
  6. npm install出现问题:run 'npm audit fix' to fix them, or 'npm audit' for details(安装babel)
  7. mysql视频第一课_MYSQL 第一课
  8. 第 1 章 MySQL 的架构介绍
  9. 天空的颜色 363
  10. 原生小说APP源码,可二次开发,小说阅读,四端互通:android端,ios端,h5端,公众号端
  11. C++学习第九课--类的成员函数、对象复制与私有成员笔记
  12. win10无网络安装.Net Framework3.5
  13. 计算机图形学-二维图形的裁剪
  14. XPAND恩帝泵800克健美补充剂,脂肪燃烧,激素原
  15. linux命令 移动/复制文件/目录到指定目录下
  16. HTML5期末大作业:网站——仿游戏官网(龙之谷)HTML+CSS+JavaScript
  17. 2016年8月6日 星期六 --出埃及记 Exodus 16:6
  18. Cloud一分钟 |周小川回应数字货币; 易到高管内讧风波未停;恒大健康回应FF员工诉讼...
  19. [转]index.dat文件剖析
  20. python一键抠图

热门文章

  1. python设计报告的前言怎么写_前  言_Python语言程序设计_红黑联盟读书频道
  2. C# 将raw格式的二进制灰度图像转为正常位图格式
  3. tumblr_使用Tumblr创建美丽且易于更新的博客
  4. 西电计算机学院专硕复试成绩,2018年西安电子科技大学硕士研究生招生统考考生拟录取名单公示...
  5. CFA一级学习笔记--衍生品(二)--定价与估值
  6. 门外汉掌握数据分析处理技术的路线图
  7. JAVA|大小写英文字母表
  8. Oracle前期准备
  9. 超声波测深仪工作原理
  10. 2019年中总结之说走就走