Currently I'm trying get ID token from an SSO endpoint.
public String getSSOToken() {
try (CloseableHttpClient httpClient = HttpClients.createDefault()) {
HttpPost httpPost = new HttpPost(issuerUri + "/token");
httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
List<NameValuePair> params = new ArrayList<>();
params.add(new BasicNameValuePair("grant_type", grantType));
params.add(new BasicNameValuePair("client_id", clientId));
params.add(new BasicNameValuePair("client_secret", clientSecret));
params.add(new BasicNameValuePair("username", userName));
params.add(new BasicNameValuePair("password", password));
params.add(new BasicNameValuePair("scope", "openid"));
httpPost.setEntity(new UrlEncodedFormEntity(params));
try (CloseableHttpResponse response = httpClient.execute(httpPost)) {
String responseBody = EntityUtils.toString(response.getEntity());
JsonNode root = new ObjectMapper().readTree(responseBody);
if (root.hasNonNull("error")) {
throw new IllegalStateException("Error when get token: " + responseBody);
}
return root.get("access_token").asText();
}
}
}
@Bean
public StsAssumeRoleWithWebIdentityCredentialsProvider refreshableCredentialsProvider() {
return StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
.stsClient(StsClient.builder().region(Region.of(region)).build())
.refreshRequest(software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityRequest.builder()
.roleArn(role)
.roleSessionName("test-session")
.webIdentityToken(getSSOToken())
.build())
.build();
}
@Bean
@Primary
public SqsAsyncClient amazonSQSAsync(StsAssumeRoleWithWebIdentityCredentialsProvider refreshableCredentialsProvider) {
return software.amazon.awssdk.services.sqs.SqsAsyncClient.builder()
.region(Region.of(region))
.credentialsProvider(refreshableCredentialsProvider)
.build();
}But it seems that the framework does not respect to the StsAssumeRoleWithWebIdentityCredentialsProvider bean:
Caused by: io.awspring.cloud.sqs.QueueAttributesResolvingException: Error resolving attributes for queue dxxxx-queue with strategy CREATE and queueAttributesNames []
at io.awspring.cloud.sqs.QueueAttributesResolver.wrapException(QueueAttributesResolver.java:98) ~[spring-cloud-aws-sqs-3.3.0.jar:3.3.0]
at java.base/java.util.concurrent.CompletableFuture.uniExceptionally(CompletableFuture.java:990) ~[na:na]
at java.base/java.util.concurrent.CompletableFuture.uniExceptionallyStage(CompletableFuture.java:1008) ~[na:na]
at java.base/java.util.concurrent.CompletableFuture.exceptionally(CompletableFuture.java:2364) ~[na:na]
at io.awspring.cloud.sqs.CompletableFutures.exceptionallyCompose(CompletableFutures.java:57) ~[spring-cloud-aws-sqs-3.3.0.jar:3.3.0]
... 11 common frames omittedf
Caused by: software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(sections=[])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_ROLE_ARN or the javaproperty aws.roleArn must be set., ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(sections=[])): Profile file contained no credentials for profile 'default': ProfileFile(sections=[]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): IMDS credentials have been disabled by environment variable or system property.]
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:130) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:130) ~[auth-2.31.3.jar:na]
at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45) ~[auth-2.31.3.jar:na]
at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:129) ~[auth-2.31.3.jar:na]
at software.amazon.awssdk.auth.credentials.AwsCredentialsProvider.resolveIdentity(AwsCredentialsProvider.java:54) ~[auth-2.31.3.jar:na]
at software.amazon.awssdk.services.sts.auth.scheme.internal.StsAuthSchemeInterceptor.lambda$trySelectAuthScheme$4(StsAuthSchemeInterceptor.java:134) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.core.internal.util.MetricUtils.reportDuration(MetricUtils.java:80) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.services.sts.auth.scheme.internal.StsAuthSchemeInterceptor.trySelectAuthScheme(StsAuthSchemeInterceptor.java:134) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.services.sts.auth.scheme.internal.StsAuthSchemeInterceptor.selectAuthScheme(StsAuthSchemeInterceptor.java:81) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.services.sts.auth.scheme.internal.StsAuthSchemeInterceptor.beforeExecution(StsAuthSchemeInterceptor.java:61) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.lambda$beforeExecution$1(ExecutionInterceptorChain.java:59) ~[sdk-core-2.31.3.jar:na]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[na:na]
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.beforeExecution(ExecutionInterceptorChain.java:59) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.runInitialInterceptors(AwsExecutionContextBuilder.java:254) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:144) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:67) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:76) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.services.sts.DefaultStsClient.assumeRoleWithWebIdentity(DefaultStsClient.java:755) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.services.sts.auth.StsAssumeRoleWithWebIdentityCredentialsProvider.getUpdatedCredentials(StsAssumeRoleWithWebIdentityCredentialsProvider.java:76) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.services.sts.auth.StsCredentialsProvider.updateSessionCredentials(StsCredentialsProvider.java:93) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.utils.cache.CachedSupplier.lambda$jitteredPrefetchValueSupplier$8(CachedSupplier.java:300) ~[utils-2.31.3.jar:na]
at software.amazon.awssdk.utils.cache.CachedSupplier$PrefetchStrategy.fetch(CachedSupplier.java:448) ~[utils-2.31.3.jar:na]
at software.amazon.awssdk.utils.cache.CachedSupplier.refreshCache(CachedSupplier.java:208) ~[utils-2.31.3.jar:na]
at software.amazon.awssdk.utils.cache.CachedSupplier.get(CachedSupplier.java:135) ~[utils-2.31.3.jar:na]
at software.amazon.awssdk.services.sts.auth.StsCredentialsProvider.resolveCredentials(StsCredentialsProvider.java:106) ~[sts-2.31.4.jar:na]
at software.amazon.awssdk.auth.credentials.AwsCredentialsProvider.resolveIdentity(AwsCredentialsProvider.java:54) ~[auth-2.31.3.jar:na]
at software.amazon.awssdk.services.sqs.auth.scheme.internal.SqsAuthSchemeInterceptor.lambda$trySelectAuthScheme$4(SqsAuthSchemeInterceptor.java:134) ~[sqs-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.util.MetricUtils.reportDuration(MetricUtils.java:80) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.services.sqs.auth.scheme.internal.SqsAuthSchemeInterceptor.trySelectAuthScheme(SqsAuthSchemeInterceptor.java:134) ~[sqs-2.31.3.jar:na]
at software.amazon.awssdk.services.sqs.auth.scheme.internal.SqsAuthSchemeInterceptor.selectAuthScheme(SqsAuthSchemeInterceptor.java:81) ~[sqs-2.31.3.jar:na]
at software.amazon.awssdk.services.sqs.auth.scheme.internal.SqsAuthSchemeInterceptor.beforeExecution(SqsAuthSchemeInterceptor.java:61) ~[sqs-2.31.3.jar:na]
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.lambda$beforeExecution$1(ExecutionInterceptorChain.java:59) ~[sdk-core-2.31.3.jar:na]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[na:na]
at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.beforeExecution(ExecutionInterceptorChain.java:59) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.runInitialInterceptors(AwsExecutionContextBuilder.java:254) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:144) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.client.handler.AwsAsyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsAsyncClientHandler.java:63) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.handler.BaseAsyncClientHandler.lambda$execute$1(BaseAsyncClientHandler.java:75) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.handler.BaseAsyncClientHandler.measureApiCallSuccess(BaseAsyncClientHandler.java:294) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.core.internal.handler.BaseAsyncClientHandler.execute(BaseAsyncClientHandler.java:73) ~[sdk-core-2.31.3.jar:na]
at software.amazon.awssdk.awscore.client.handler.AwsAsyncClientHandler.execute(AwsAsyncClientHandler.java:49) ~[aws-core-2.31.3.jar:na]
at software.amazon.awssdk.services.sqs.DefaultSqsAsyncClient.getQueueUrl(DefaultSqsAsyncClient.java:1277) ~[sqs-2.31.3.jar:na]
at io.awspring.cloud.sqs.QueueAttributesResolver.doResolveQueueUrl(QueueAttributesResolver.java:118) ~[spring-cloud-aws-sqs-3.3.0.jar:3.3.0]
at io.awspring.cloud.sqs.QueueAttributesResolver.resolveQueueUrl(QueueAttributesResolver.java:104) ~[spring-cloud-aws-sqs-3.3.0.jar:3.3.0]
... 11 common frames omitted
Currently I'm trying get ID token from an SSO endpoint.
But it seems that the framework does not respect to the
StsAssumeRoleWithWebIdentityCredentialsProviderbean: