java - 如何将 AWS KMS 与 java sdk 结合使用，以便能够将 IAM 凭证解析为 ECS env？

Question

我有一个带有凭据的加密服务

public AWSKMS kms() {
    final AWSKMSClientBuilder builder = AWSKMSClient.builder();

    if (!properties.getAccessKey().isEmpty() && !properties.getSecretKey().isEmpty()) {
        builder.withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials(properties.getAccessKey(), properties.getSecretKey())));
    }

    if (Optional.ofNullable(properties.getEndpoint()).isPresent()) {
        builder.withEndpointConfiguration(new EndpointConfiguration(properties.getEndpoint().getServiceEndpoint(), properties.getEndpoint().getSigningRegion()));
    } else {
        Optional.ofNullable(properties.getRegion()).ifPresent(builder::setRegion);
    }

    return builder.build();
}

此服务是否可以从 IAM 角色检索凭证？

Answer 1

一旦你获得了 StS 的信用然后，您可以请求担任某个角色，您的信用信息将更新为具有该角色权限的信用信息。

比如，

Samples:

To assume a role AssumeRole

    AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard().build();
    AssumeRoleRequest request = new AssumeRoleRequest().withRoleArn("arn:aws:iam::123456789012:role/demo").withRoleSessionName("Bob")
            .withPolicy("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}")
            .withDurationSeconds(3600).withExternalId("123ABC");
    AssumeRoleResult response = client.assumeRole(request);

Java 开发工具包中的 AWS outline it here