Support AWS EKS OpenID Connect Web

[sepulworld]

Hi! 👋

Here are the supported sdk versions for OpenID Connect. https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

OpenID connect is the supported method of authentication if you are running your application inside of AWS EKS (k8s).

3rd on the credential chain isn't being used. https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html I believe when we build the defaultClient we need to also use https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/WebIdentityTokenFileCredentialsProvider.html

[sepulworld]

any help on this is appreciate, Ill poke around and see if I can find a good solution so that the full default cred chain is consider (including the web token that is needed for EKS based apps)

[JaidenAshmore]

We already use version 2.16.104 for the Java SDK so it should be available so no change is needed there to allow the functionality you are referencing.

If by the default SqsAsyncClient you are referencing the Spring Boot implementation, you can see here is how we set it up: https://github.com/JaidenAshmore/java-dynamic-sqs-listener/blob/5.x/spring/spring-core/src/main/java/com/jashmore/sqs/spring/config/QueueListenerConfiguration.java#L63. It just does the defaults as configured in your app. If that doesn't work with your environment variables etc you can always provide your own SqsAsyncClient by doing something like:

@Configuration
public class MyConfig {

    @Bean
     public SqsAsyncClient sqsAsyncClient() {
         return ...whatever client here that you have correctly set up with permissions
      }

We don't do anything smart with the SqsAsyncClient so if it isn't working it would be something wrong wiht the SDK or your set up. Let me know if that doesn't make sense.

[sepulworld]

Here is a clue as to what is going on:

Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@35e64c7b: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@17179a7e: Failed to connect to service endpoint:

Should we load aws-java-sdk-sts in your client code. Make it available there seems to be the right move to make. What do you think @JaidenAshmore

[sepulworld]

I've tested this out and the full default cred chain isn't used unless you include

software.amazon.awssdk:sts

I would recommend it be included in build of the library since comments suggest DefaultCred chain is used. As it stands now WebToken is skipped unless end user of this library includes it in their project.

[yonatanaftali]

@sepulworld @JaidenAshmore any update about that? How was this closed?