Closed sxhmilyoyo closed 5 months ago
I suspect that the trust store from which the Java SDK client is pulling CA certificates from is different from the one that the AWS CLI uses. I believe the Java SDK uses the default Java cacerts
trust store, so you may be able to fix this by adding the Amazon Root CA certificate to your trust store.
Two other avenues to investigate -
1) Are the two commands (CLI vs. Spring Boot) running on the same instance? The Java cacerts
shouldn't affect the trust store the credential helper uses, but a different instance might.
2) Is the Spring Boot app launched with the environment variables HTTP_PROXY
or HTTPS_PROXY
set? The AWS Java SDK 2 ProcessCredentialsProvider
(implicitly called by the ProfileCredentialsProvider
when handling a profile with credential_process
defined) uses the Java ProcessBuilder
. According to the Javadoc, the child process is run with "copy of the environment of the current process" - so if the app is launched with those variables, I expect them to be in the credential helpers environment.
The Go standard library, used by the credential helper, will honor those variables. If set, it will connect to the proxy first, which presents a certificate - usually a private certificate that's not in the trust store. If you find this is the case, you can put the certificate into the trust store, or try launching the Boot app without the variables.
Independently, you can cerify the validity of the Roles Anywhere endpoint TLS certificate -
openssl s_client -connect rolesanywhere.us-west-2.amazonaws.com:443 -showcerts < /dev/null
You can also verify that the credential helper can access the endpoint with no TLS errors, when called directly -
aws_signing_helper credential-process --certificate /path/to/cert.pem --private-key /path/to/private-key.pem --trust-anchor-arn <trust-anchor-arn> --profile-arn <profile-arn> --role-arn <role-arn>
The key is figuring out what is different when the JVM forks out to the process.
@rlalcorn Thanks for your quick reply.
Are the two commands (CLI vs. Spring Boot) running on the same instance? The Java cacerts shouldn't affect the trust store the credential helper uses, but a different instance might.
Yes, they were both ran on my MacBook.
Is the Spring Boot app launched with the environment variables HTTP_PROXY or HTTPS_PROXY set?
I tried echo $HTTP_PROXY
and echo $HTTPS_PROXY
, nothing is returned. Besides, I also checked the application.properties file, nothing related to them either.
I tried to run aws_signing_helper credential-process --certificate /path/to/cert.pem --private-key /path/to/private-key.pem --trust-anchor-arn <trust-anchor-arn> --profile-arn <profile-arn> --role-arn <role-arn>
, and it works for me.
I tried to run openssl s_client -connect rolesanywhere.us-west-2.amazonaws.com:443 -showcerts < /dev/null
and it works as well for me to return some certificates and something like this in the end
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5574 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
I am a newbie on the domain of the trust store and certificate. It would be appreciated if you could share more debug process with more details. Thanks.
@13ajay Thanks for your quick reply.
Let me explore on this.
I followed on this https://docs.aws.amazon.com/privateca/latest/userguide/PcaIssueCert.html to set up the end-entity certificates as required as the 2nd prerequisites mentioned in this reference: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
An end-entity certificate and associated private key available on the on-premises server
After I install all Amazon Root CAs into the $JAVA_HOME/lib/security/cacerts
, the issue is resolved.
keytool -import -trustcacerts -alias AmazonRootCA1 -file /path/to/AmazonRootCA1.pem
Thanks for everyone help, especially @13ajay, your suggestion is correct.
Summary
I followed this awesome reference to set up the rolesanywhere on my MacBook: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/, and it works when I run AWS CLI on my MacBook. However, when I tested it in my code with AWS Java SDK in Spring Boot Application, it does not work.
~/.aws/config
Test with AWS CLI
Command
aws sts get-caller-identity
Response
Test with AWS Java SDK in Spring Boot Application
Java Code
Error
Potential Fix
I noticed that the issue was from tls and there is one flag for
aws_signing_helper
:--no-verify-ssl
. I tried to add--no-verify-ssl
in the~/.aws/config
, like thisThen no more issue, the S3Client started working with correct credentials.
Question
Could you help me understand the root cause of this issue? Besides, according to the official reference: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html#credential-helper-options
It seems like it is better to not use
--no-verify-ssl
.Thanks.