software.amazon.awssdk.auth.credentials.AwsCredentialsProvider Java Examples

private String getS3Url(String objectKey) {
    AwsCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretKey));
    S3Presigner preSigner = S3Presigner.builder()
            .credentialsProvider(credentialsProvider)
            .endpointOverride(URI.create(endpoint))
            .region(clientRegion).build();
    GetObjectRequest getObjectRequest = GetObjectRequest.builder()
            .bucket(bucketName)
            .key(objectKey)
            .build();
    GetObjectPresignRequest getObjectPresignRequest = GetObjectPresignRequest.builder()
            .getObjectRequest(getObjectRequest).signatureDuration(Duration.ofDays(7)).build();
    PresignedGetObjectRequest presignedGetObjectRequest = preSigner.presignGetObject(getObjectPresignRequest);
    String url = presignedGetObjectRequest.url().toString();
    preSigner.close();
    return url;
}
 

private String getSecret(String[] arnTokens) throws IOException {
  String region = arnTokens[Arn.region.ordinal()];
  String secretName = getSecretName(arnTokens[Arn.secretName.ordinal()]);

  /*
   * Currently, dremio would support access of the secrets manager with base role assigned
   * to EC2 machine. This will be further enhanced, once we have more requirements on it.
   */
  AwsCredentialsProvider awsCredentialsProvider = getAwsCredentials();
  GetSecretValueRequest secretValueRequest = GetSecretValueRequest.builder().secretId(secretName)
    .versionStage(AWS_CURRENT).build();

  try (final SecretsManagerClient secretsManagerClient = SecretsManagerClient.builder()
        .region(Region.of(region))
        .credentialsProvider(awsCredentialsProvider)
        .build()) {
    final GetSecretValueResponse secretValueResponse = secretsManagerClient.getSecretValue(secretValueRequest);
    return (secretValueResponse.secretString() != null) ?
      secretValueResponse.secretString() : secretValueResponse.secretBinary().toString();
  } catch (SdkException e) {
    logger.debug("Unable to retrieve secret for secret {} as {}", secretName, e.getMessage());
    throw new IOException(e.getMessage(), e);
  }
}
 

/**
 * Checks if credentials are valid using GetCallerIdentity API call.
 */
protected void verifyCredentials(Configuration conf) throws RuntimeException {
    AwsCredentialsProvider awsCredentialsProvider = getAsync2Provider(conf);
    final StsClientBuilder stsClientBuilder = StsClient.builder()
      // Note that AWS SDKv2 client will close the credentials provider if needed when the client is closed
      .credentialsProvider(awsCredentialsProvider)
      .region(getAWSRegionFromConfigurationOrDefault(conf));
    try (StsClient stsClient = stsClientBuilder.build()) {
      retryer.call(() -> {
        GetCallerIdentityRequest request = GetCallerIdentityRequest.builder().build();
        stsClient.getCallerIdentity(request);
        return true;
      });
    } catch (Retryer.OperationFailedAfterRetriesException e) {
      throw new RuntimeException("Credential Verification failed.", e);
    }
}
 

private KinesisAsyncClient createClient() {

        ClientAsyncConfiguration clientConfiguration = ClientAsyncConfiguration.builder().build();

        // Reading credentials from ENV-variables
        AwsCredentialsProvider awsCredentialsProvider = DefaultCredentialsProvider.builder().build();

        // Configuring Kinesis-client with configuration
        String tmp = System.getenv("REGION");

        Region myRegion;
        if (tmp == null || tmp.trim().length() == 0) {
            myRegion = Region.US_EAST_1;
            LOGGER.info("Using default region");
        } else {
            myRegion = Region.of(tmp);
        }

        LOGGER.info("Deploying in Region " + myRegion.toString());

        return KinesisAsyncClient.builder()
                .asyncConfiguration(clientConfiguration)
                .credentialsProvider(awsCredentialsProvider)
                .region(myRegion)
                .build();
    }
 

@VisibleForTesting
protected AwsCredentialsProvider getAsync2Provider(Configuration config) {
  switch(config.get(Constants.AWS_CREDENTIALS_PROVIDER)) {
    case ACCESS_KEY_PROVIDER:
      return StaticCredentialsProvider.create(AwsBasicCredentials.create(
        config.get(Constants.ACCESS_KEY), config.get(Constants.SECRET_KEY)));
    case EC2_METADATA_PROVIDER:
      return InstanceProfileCredentialsProvider.create();
    case NONE_PROVIDER:
      return AnonymousCredentialsProvider.create();
    case ASSUME_ROLE_PROVIDER:
      return new STSCredentialProviderV2(config);
    default:
      throw new IllegalStateException(config.get(Constants.AWS_CREDENTIALS_PROVIDER));
  }
}
 

private StsProfileCredentialsProvider(AwsCredentialsProvider parentCredentialsProvider, Profile profile) {
    String roleArn = requireProperty(profile, ProfileProperty.ROLE_ARN);
    String roleSessionName = profile.property(ProfileProperty.ROLE_SESSION_NAME)
                                    .orElseGet(() -> "aws-sdk-java-" + System.currentTimeMillis());
    String externalId = profile.property(ProfileProperty.EXTERNAL_ID).orElse(null);

    AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
                                                           .roleArn(roleArn)
                                                           .roleSessionName(roleSessionName)
                                                           .externalId(externalId)
                                                           .build();

    this.stsClient = StsClient.builder()
                              .applyMutation(client -> configureEndpoint(client, profile))
                              .credentialsProvider(parentCredentialsProvider)
                              .build();

    this.parentCredentialsProvider = parentCredentialsProvider;
    this.credentialsProvider = StsAssumeRoleCredentialsProvider.builder()
                                                               .stsClient(stsClient)
                                                               .refreshRequest(assumeRoleRequest)
                                                               .build();
}
 

@Test
public void testVerifyCredentialsRetry() {
  PowerMockito.mockStatic(StsClient.class);
  StsClient mockedClient = mock(StsClient.class);
  StsClientBuilder mockedClientBuilder = mock(StsClientBuilder.class);
  when(mockedClientBuilder.credentialsProvider(any(AwsCredentialsProvider.class))).thenReturn(mockedClientBuilder);
  when(mockedClientBuilder.region(any(Region.class))).thenReturn(mockedClientBuilder);
  when(mockedClientBuilder.build()).thenReturn(mockedClient);
  when(StsClient.builder()).thenReturn(mockedClientBuilder);

  TestExtendedS3FileSystem fs = new TestExtendedS3FileSystem();
  AtomicInteger retryAttemptNo = new AtomicInteger(1);
  when(mockedClient.getCallerIdentity(any(GetCallerIdentityRequest.class))).then(invocationOnMock -> {
    if (retryAttemptNo.incrementAndGet() < 10) {
      throw new SdkClientException("Unable to load credentials from service endpoint.");
    }
    return null;
  });

  fs.verifyCredentials(new Configuration());
  assertEquals(10, retryAttemptNo.get());
}
 

@Test(expected = RuntimeException.class)
public void testVerifyCredentialsNoRetryOnAuthnError() {
  PowerMockito.mockStatic(StsClient.class);
  StsClient mockedClient = mock(StsClient.class);
  StsClientBuilder mockedClientBuilder = mock(StsClientBuilder.class);
  when(mockedClientBuilder.credentialsProvider(any(AwsCredentialsProvider.class))).thenReturn(mockedClientBuilder);
  when(mockedClientBuilder.region(any(Region.class))).thenReturn(mockedClientBuilder);
  when(mockedClientBuilder.build()).thenReturn(mockedClient);
  when(StsClient.builder()).thenReturn(mockedClientBuilder);

  TestExtendedS3FileSystem fs = new TestExtendedS3FileSystem();
  AtomicInteger retryAttemptNo = new AtomicInteger(0);
  when(mockedClient.getCallerIdentity(any(GetCallerIdentityRequest.class))).then(invocationOnMock -> {
    retryAttemptNo.incrementAndGet();
    throw StsException.builder().message("The security token included in the request is invalid. (Service: Sts, Status Code: 403, Request ID: a7e2e92e-5ebb-4343-87a1-21e4d64edcd4)").build();
  });
  fs.verifyCredentials(new Configuration());
  assertEquals(1, retryAttemptNo.get());
}
 

/**
 * Load an assumed-role credentials provider that has been configured in this profile. This will attempt to locate the STS
 * module in order to generate the credentials provider. If it's not available, an illegal state exception will be raised.
 *
 * @param children The child profiles that source credentials from this profile.
 */
private AwsCredentialsProvider roleAndSourceProfileBasedProfileCredentialsProvider(Set<String> children) {
    requireProperties(ProfileProperty.SOURCE_PROFILE);

    Validate.validState(!children.contains(name),
                        "Invalid profile file: Circular relationship detected with profiles %s.", children);
    Validate.validState(credentialsSourceResolver != null,
                        "The profile '%s' must be configured with a source profile in order to use assumed roles.", name);

    children.add(name);
    AwsCredentialsProvider sourceCredentialsProvider =
        credentialsSourceResolver.apply(properties.get(ProfileProperty.SOURCE_PROFILE))
                                 .flatMap(p -> new ProfileCredentialsUtils(p, credentialsSourceResolver)
                                     .credentialsProvider(children))
                                 .orElseThrow(this::noSourceCredentialsException);

    return stsCredentialsProviderFactory().create(sourceCredentialsProvider, profile);
}
 

@Override
public void serializeWithType(
    AwsCredentialsProvider credentialsProvider,
    JsonGenerator jsonGenerator,
    SerializerProvider serializer,
    TypeSerializer typeSerializer)
    throws IOException {
  WritableTypeId typeId =
      typeSerializer.writeTypePrefix(
          jsonGenerator, typeSerializer.typeId(credentialsProvider, JsonToken.START_OBJECT));
  if (credentialsProvider.getClass().equals(StaticCredentialsProvider.class)) {
    jsonGenerator.writeStringField(
        ACCESS_KEY_ID, credentialsProvider.resolveCredentials().accessKeyId());
    jsonGenerator.writeStringField(
        SECRET_ACCESS_KEY, credentialsProvider.resolveCredentials().secretAccessKey());
  } else if (!SINGLETON_CREDENTIAL_PROVIDERS.contains(credentialsProvider.getClass())) {
    throw new IllegalArgumentException(
        "Unsupported AWS credentials provider type " + credentialsProvider.getClass());
  }
  typeSerializer.writeTypeSuffix(jsonGenerator, typeId);
}
 

private AwsCredentialsProvider roleAndWebIdentityTokenProfileCredentialsProvider() {
    requireProperties(ProfileProperty.ROLE_ARN, ProfileProperty.WEB_IDENTITY_TOKEN_FILE);

    String roleArn = properties.get(ProfileProperty.ROLE_ARN);
    String roleSessionName = properties.get(ProfileProperty.ROLE_SESSION_NAME);
    Path webIdentityTokenFile = Paths.get(properties.get(ProfileProperty.WEB_IDENTITY_TOKEN_FILE));

    WebIdentityTokenCredentialProperties credentialProperties =
        WebIdentityTokenCredentialProperties.builder()
                                            .roleArn(roleArn)
                                            .roleSessionName(roleSessionName)
                                            .webIdentityTokenFile(webIdentityTokenFile)
                                            .build();

    return WebIdentityCredentialsUtils.factory().create(credentialProperties);
}
 

@Test
public void testStaticCredentialsProviderSerializationDeserialization() throws Exception {
  AwsCredentialsProvider credentialsProvider =
      StaticCredentialsProvider.create(AwsBasicCredentials.create("key-id", "secret-key"));
  String serializedCredentialsProvider = objectMapper.writeValueAsString(credentialsProvider);
  AwsCredentialsProvider deserializedCredentialsProvider =
      objectMapper.readValue(serializedCredentialsProvider, AwsCredentialsProvider.class);
  assertEquals(credentialsProvider.getClass(), deserializedCredentialsProvider.getClass());
  assertEquals(
      credentialsProvider.resolveCredentials().accessKeyId(),
      deserializedCredentialsProvider.resolveCredentials().accessKeyId());
  assertEquals(
      credentialsProvider.resolveCredentials().secretAccessKey(),
      deserializedCredentialsProvider.resolveCredentials().secretAccessKey());
}
 

/**
 * The credential instance that should be used to authenticate against AWS services. The option
 * value must contain a "@type" field and an AWS Credentials Provider class as the field value.
 * Refer to {@link DefaultCredentialsProvider} Javadoc for usage help.
 *
 * <p>For example, to specify the AWS key ID and secret, specify the following: <code>
 * {"@type" : "AWSStaticCredentialsProvider", "awsAccessKeyId" : "key_id_value",
 * "awsSecretKey" : "secret_value"}
 * </code>
 */
@Description(
    "The credential instance that should be used to authenticate "
        + "against AWS services. The option value must contain \"@type\" field "
        + "and an AWS Credentials Provider class name as the field value. "
        + "Refer to DefaultAWSCredentialsProviderChain Javadoc for usage help. "
        + "For example, to specify the AWS key ID and secret, specify the following: "
        + "{\"@type\": \"StaticCredentialsProvider\", "
        + "\"accessKeyId\":\"<key_id>\", \"secretAccessKey\":\"<secret_key>\"}")
@Default.InstanceFactory(AwsUserCredentialsFactory.class)
AwsCredentialsProvider getAwsCredentialsProvider();
 

BasicDynamoDbClientProvider(
    AwsCredentialsProvider awsCredentialsProvider, String region, @Nullable URI serviceEndpoint) {
  checkArgument(awsCredentialsProvider != null, "awsCredentialsProvider can not be null");
  checkArgument(region != null, "region can not be null");
  this.awsCredentialsProvider = awsCredentialsProvider;
  this.region = region;
  this.serviceEndpoint = serviceEndpoint;
}
 

BasicSnsAsyncClientProvider(
    AwsCredentialsProvider awsCredentialsProvider, String region, @Nullable URI serviceEndpoint) {
  checkArgument(awsCredentialsProvider != null, "awsCredentialsProvider can not be null");
  checkArgument(region != null, "region can not be null");
  this.awsCredentialsProvider = awsCredentialsProvider;
  this.region = region;
  this.serviceEndpoint = serviceEndpoint;
}
 

/**
 * Specify credential details and region to be used to write to SNS. If you need more
 * sophisticated credential protocol, then you should look at {@link
 * WriteAsync#withSnsClientProvider(SnsAsyncClientProvider)}.
 *
 * <p>The {@code serviceEndpoint} sets an alternative service host.
 */
public WriteAsync<T> withSnsClientProvider(
    AwsCredentialsProvider credentialsProvider, String region, URI serviceEndpoint) {
  checkNotNull(credentialsProvider, "credentialsProvider cannot be null");
  checkNotNull(region, "region cannot be null");
  return withSnsClientProvider(
      new BasicSnsAsyncClientProvider(credentialsProvider, region, serviceEndpoint));
}
 

/**
 * Specify credential details and region to be used to write to SNS. If you need more
 * sophisticated credential protocol, then you should look at {@link
 * WriteAsync#withSnsClientProvider(SnsAsyncClientProvider)}.
 */
public WriteAsync<T> withSnsClientProvider(
    AwsCredentialsProvider credentialsProvider, String region) {
  checkNotNull(credentialsProvider, "credentialsProvider cannot be null");
  checkNotNull(region, "region cannot be null");
  return withSnsClientProvider(credentialsProvider, region, null);
}
 

@Override
protected FirehoseAsyncClient createClient(AwsCredentialsProvider credentials, ClientOverrideConfiguration configuration, ThreadPoolExecutor executor, Region region, Optional<URI> endpointOverride) {
  FirehoseAsyncClientBuilder builder = FirehoseAsyncClient.builder()
    .credentialsProvider(credentials)
    .asyncConfiguration(b -> b.advancedOption(SdkAdvancedAsyncClientOption.FUTURE_COMPLETION_EXECUTOR, executor))
    .overrideConfiguration(configuration)
    .region(region);
  
  endpointOverride.ifPresent(endpoint -> builder.endpointOverride(endpoint));
  
  return builder.build();
}
 

@Override
public AwsCredentialsProvider deserializeWithType(
    JsonParser jsonParser, DeserializationContext context, TypeDeserializer typeDeserializer)
    throws IOException {
  Map<String, String> asMap =
      jsonParser.readValueAs(new TypeReference<Map<String, String>>() {});

  String typeNameKey = typeDeserializer.getPropertyName();
  String typeName = asMap.get(typeNameKey);
  if (typeName == null) {
    throw new IOException(
        String.format("AWS credentials provider type name key '%s' not found", typeNameKey));
  }

  if (typeName.equals(StaticCredentialsProvider.class.getSimpleName())) {
    return StaticCredentialsProvider.create(
        AwsBasicCredentials.create(asMap.get(ACCESS_KEY_ID), asMap.get(SECRET_ACCESS_KEY)));
  } else if (typeName.equals(DefaultCredentialsProvider.class.getSimpleName())) {
    return DefaultCredentialsProvider.create();
  } else if (typeName.equals(EnvironmentVariableCredentialsProvider.class.getSimpleName())) {
    return EnvironmentVariableCredentialsProvider.create();
  } else if (typeName.equals(SystemPropertyCredentialsProvider.class.getSimpleName())) {
    return SystemPropertyCredentialsProvider.create();
  } else if (typeName.equals(ProfileCredentialsProvider.class.getSimpleName())) {
    return ProfileCredentialsProvider.create();
  } else if (typeName.equals(ContainerCredentialsProvider.class.getSimpleName())) {
    return ContainerCredentialsProvider.builder().build();
  } else {
    throw new IOException(
        String.format("AWS credential provider type '%s' is not supported", typeName));
  }
}
 

@Override
public void serialize(
    AwsCredentialsProvider credentialsProvider,
    JsonGenerator jsonGenerator,
    SerializerProvider serializer)
    throws IOException {
  serializer.defaultSerializeValue(credentialsProvider, jsonGenerator);
}
 

@Test
void buildClientWithCustomizedConfig()
{
    AwsS3Sender.Config config = new AwsS3Sender.Config();
    config.setEndpoint("https://another.s3endpoi.nt");
    config.setRegion("ap-northeast-1");
    config.setAwsAccessKeyId("foo");
    config.setAwsSecretAccessKey("bar");

    S3Client s3Client = mock(S3Client.class);
    S3ClientBuilder s3ClientBuilder = mock(S3ClientBuilder.class);
    doReturn(s3Client).when(s3ClientBuilder).build();
    doAnswer(invocation -> {
        AwsCredentialsProvider provider = invocation.getArgument(0);
        AwsCredentials awsCredentials = provider.resolveCredentials();
        assertEquals("foo", awsCredentials.accessKeyId());
        assertEquals("bar", awsCredentials.secretAccessKey());
        return null;
    }).when(s3ClientBuilder).credentialsProvider(any());

    new AwsS3Sender(s3ClientBuilder, config);

    verify(s3ClientBuilder, times(1)).build();
    verify(s3ClientBuilder, times(1)).endpointOverride(eq(URI.create("https://another.s3endpoi.nt")));
    verify(s3ClientBuilder, times(1)).region(eq(Region.AP_NORTHEAST_1));
    verify(s3ClientBuilder, times(1)).credentialsProvider(any());
}
 

@Test
public void testAwsCredentialsProviderSerializationDeserialization() throws Exception {
  AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.create();
  String serializedCredentialsProvider = objectMapper.writeValueAsString(credentialsProvider);
  AwsCredentialsProvider deserializedCredentialsProvider =
      objectMapper.readValue(serializedCredentialsProvider, DefaultCredentialsProvider.class);
  assertEquals(credentialsProvider.getClass(), deserializedCredentialsProvider.getClass());

  credentialsProvider = EnvironmentVariableCredentialsProvider.create();
  serializedCredentialsProvider = objectMapper.writeValueAsString(credentialsProvider);
  deserializedCredentialsProvider =
      objectMapper.readValue(serializedCredentialsProvider, AwsCredentialsProvider.class);
  assertEquals(credentialsProvider.getClass(), deserializedCredentialsProvider.getClass());

  credentialsProvider = SystemPropertyCredentialsProvider.create();
  serializedCredentialsProvider = objectMapper.writeValueAsString(credentialsProvider);
  deserializedCredentialsProvider =
      objectMapper.readValue(serializedCredentialsProvider, AwsCredentialsProvider.class);
  assertEquals(credentialsProvider.getClass(), deserializedCredentialsProvider.getClass());

  credentialsProvider = ProfileCredentialsProvider.create();
  serializedCredentialsProvider = objectMapper.writeValueAsString(credentialsProvider);
  deserializedCredentialsProvider =
      objectMapper.readValue(serializedCredentialsProvider, AwsCredentialsProvider.class);
  assertEquals(credentialsProvider.getClass(), deserializedCredentialsProvider.getClass());

  credentialsProvider = ContainerCredentialsProvider.builder().build();
  serializedCredentialsProvider = objectMapper.writeValueAsString(credentialsProvider);
  deserializedCredentialsProvider =
      objectMapper.readValue(serializedCredentialsProvider, AwsCredentialsProvider.class);
  assertEquals(credentialsProvider.getClass(), deserializedCredentialsProvider.getClass());
}
 

BasicSnsClientProvider(
    AwsCredentialsProvider awsCredentialsProvider, String region, @Nullable URI serviceEndpoint) {
  checkArgument(awsCredentialsProvider != null, "awsCredentialsProvider can not be null");
  checkArgument(region != null, "region can not be null");
  this.awsCredentialsProvider = awsCredentialsProvider;
  this.region = region;
  this.serviceEndpoint = serviceEndpoint;
}
 

@Bean
@Primary
public KinesisAsyncClient kinesisAsyncClient(final @Value("${test.environment:local}") String testEnvironment,
                                             final AwsCredentialsProvider credentialsProvider) {
    // kinesalite does not support cbor at the moment (v1.11.6)
    System.setProperty("aws.cborEnabled", "false");
    LOG.info("kinesis client for local tests");
    final KinesisAsyncClient kinesisClient;
    if (testEnvironment.equals("local")) {
        kinesisClient = KinesisAsyncClient.builder()
                .httpClient(
                        // Disables HTTP2 because of problems with LocalStack
                        NettyNioAsyncHttpClient.builder()
                                .protocol(Protocol.HTTP1_1)
                                .build())
                .endpointOverride(URI.create("http://localhost:4568"))
                .region(Region.EU_CENTRAL_1)
                .credentialsProvider(credentialsProvider)
                .build();
    } else {
        kinesisClient = KinesisAsyncClient.builder()
                .credentialsProvider(credentialsProvider)
                .build();
    }
    createChannelIfNotExists(kinesisClient, INTEGRATION_TEST_STREAM, 2);
    return kinesisClient;
}
 

@Bean
@ConditionalOnMissingBean
public S3Client s3Client(final AwsProperties awsProperties,
                         final AwsCredentialsProvider awsCredentialsProvider) {
    return S3Client
            .builder()
            .region(of(awsProperties.getRegion()))
            .credentialsProvider(awsCredentialsProvider)
            .build();
}
 

@Bean
@Primary
public KinesisAsyncClient kinesisAsyncClient(final @Value("${test.environment:local}") String testEnvironment,
                                             final AwsCredentialsProvider credentialsProvider,
                                             final RetryPolicy kinesisRetryPolicy) {
    // kinesalite does not support cbor at the moment (v1.11.6)
    System.setProperty("aws.cborEnabled", "false");
    LOG.info("kinesis client for local tests");
    final KinesisAsyncClient kinesisClient;
    if (testEnvironment.equals("local")) {
        kinesisClient = KinesisAsyncClient.builder()
                .httpClient(
                        // Disables HTTP2 because of problems with LocalStack
                        NettyNioAsyncHttpClient.builder()
                                .protocol(Protocol.HTTP1_1)
                                .build())
                .endpointOverride(URI.create("http://localhost:4568"))
                .region(Region.EU_CENTRAL_1)
                .credentialsProvider(credentialsProvider)
                .overrideConfiguration(ClientOverrideConfiguration.builder().retryPolicy(kinesisRetryPolicy).build())
                .build();
    } else {
        kinesisClient = KinesisAsyncClient.builder()
                .credentialsProvider(credentialsProvider)
                .build();
    }
    createChannelIfNotExists(kinesisClient, KINESIS_INTEGRATION_TEST_CHANNEL, EXPECTED_NUMBER_OF_SHARDS);
    return kinesisClient;
}
 

@Bean
@ConditionalOnMissingBean(KinesisAsyncClient.class)
public KinesisAsyncClient kinesisAsyncClient(final AwsCredentialsProvider credentialsProvider,
                                             final RetryPolicy kinesisRetryPolicy) {
    return KinesisAsyncClient.builder()
            .credentialsProvider(credentialsProvider)
            .region(Region.of(awsProperties.getRegion()))
            .overrideConfiguration(ClientOverrideConfiguration.builder().retryPolicy(kinesisRetryPolicy).build())
            .build();
}
 

@Bean
@ConditionalOnMissingBean(SqsAsyncClient.class)
public SqsAsyncClient sqsAsyncClient(final AwsCredentialsProvider credentialsProvider, final RetryPolicy sqsRetryPolicy) {
    return SqsAsyncClient.builder()
            .credentialsProvider(credentialsProvider)
            .region(Region.of(awsProperties.getRegion()))
            .overrideConfiguration(ClientOverrideConfiguration.builder()
                    .apiCallAttemptTimeout(Duration.ofSeconds(5))
                    .retryPolicy(sqsRetryPolicy).build())
            .build();
}
 

private AwsCredentialsProvider getCredentialsProvider(final ProviderConfigurationContext configurationContext) {
    final String credentialsProviderValue = configurationContext.getProperties().get(CREDENTIALS_PROVIDER_PROP);
    if (StringUtils.isBlank(credentialsProviderValue)) {
        throw new ProviderCreationException("The property '" + CREDENTIALS_PROVIDER_PROP + "' must be provided");
    }

    CredentialProvider credentialProvider;
    try {
        credentialProvider = CredentialProvider.valueOf(credentialsProviderValue);
    } catch (Exception e) {
        throw new ProviderCreationException("The property '" + CREDENTIALS_PROVIDER_PROP + "' must be one of ["
                + CredentialProvider.STATIC + ", " + CredentialProvider.DEFAULT_CHAIN + " ]");
    }

    if (CredentialProvider.STATIC == credentialProvider) {
        final String accesKeyValue = configurationContext.getProperties().get(ACCESS_KEY_PROP);
        final String secretAccessKey = configurationContext.getProperties().get(SECRET_ACCESS_KEY_PROP);

        if (StringUtils.isBlank(accesKeyValue) || StringUtils.isBlank(secretAccessKey)) {
            throw new ProviderCreationException("The properties '" + ACCESS_KEY_PROP + "' and '" + SECRET_ACCESS_KEY_PROP
                    + "' must be provided when using " + CredentialProvider.STATIC + " credentials provider");
        }

        LOGGER.debug("Creating StaticCredentialsProvider");
        final AwsCredentials awsCredentials = AwsBasicCredentials.create(accesKeyValue, secretAccessKey);
        return StaticCredentialsProvider.create(awsCredentials);

    } else {
        LOGGER.debug("Creating DefaultCredentialsProvider");
        return DefaultCredentialsProvider.create();
    }
}
 

public STSCredentialProviderV2(Configuration conf) {
  AwsCredentialsProvider awsCredentialsProvider = null;

  if (S3StoragePlugin.ACCESS_KEY_PROVIDER.equals(conf.get(Constants.ASSUMED_ROLE_CREDENTIALS_PROVIDER))) {
    awsCredentialsProvider = StaticCredentialsProvider.create(AwsBasicCredentials.create(
      conf.get(Constants.ACCESS_KEY), conf.get(Constants.SECRET_KEY)));
  } else if (S3StoragePlugin.EC2_METADATA_PROVIDER.equals(conf.get(Constants.ASSUMED_ROLE_CREDENTIALS_PROVIDER))) {
    awsCredentialsProvider = InstanceProfileCredentialsProvider.create();
  }

  final StsClientBuilder builder = StsClient.builder()
    .credentialsProvider(awsCredentialsProvider)
    .region(S3FileSystem.getAWSRegionFromConfigurationOrDefault(conf))
    .httpClientBuilder(initConnectionSettings(conf));
  S3FileSystem.getStsEndpoint(conf).ifPresent(e -> {
    try {
      builder.endpointOverride(new URI(e));
    } catch (URISyntaxException use) {
      throw UserException.sourceInBadState(use).buildSilently();
    }
  });

  initUserAgent(builder, conf);

  final AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
    .roleArn(conf.get(Constants.ASSUMED_ROLE_ARN))
    .roleSessionName(UUID.randomUUID().toString())
    .build();

  this.stsAssumeRoleCredentialsProvider = StsAssumeRoleCredentialsProvider.builder()
    .refreshRequest(assumeRoleRequest)
    .stsClient(builder.build())
    .build();
}