Authenticating with AWS using the AWS SDK for Java 2.x
When using the AWS SDK for Java 2.x, an important thing to know about authentication is that the SDK automatically handles the complex request signing process using credentials from your environment or IAM roles without requiring you to implement any cryptographic algorithms.
The SDK manages credential discovery, signature creation, and credential refreshing completely behind the scenes, letting you focus on your application logic.
Set up for authentication
TheAuthentication and access topic in the AWS SDKs and Tools Reference Guide describes the different authentication approaches. We recommend that you follow the instructions toset up access to the IAM Identity Center so the SDK can acquire credentials.
After following the instructions in AWS SDKs and Tools Reference Guide, your system should be set up to allow the SDK to sign requests:
1. Setup for single sign-on access for the SDK
After you complete Step 2 in theprogrammatic access section so that the SDK can use IAM Identity Center authentication, your system should contain the following elements.
The AWS CLI, which you use to start anAWS access portal session before you run your application.
An
~/.aws/configfile that contains adefault profile. The SDK for Java uses the profile's SSO token provider configuration to acquire credentials before sending requests to AWS. Thesso_role_namevalue, which is an IAM role connected to an IAM Identity Center permission set, should allow access to the AWS services used in your application.The following sample
configfile shows a default profile set up with SSO token provider configuration. The profile'ssso_sessionsetting refers to the namedsso-sessionsection. Thesso-sessionsection contains settings to initiate an AWS access portal session.[default]sso_session = my-ssosso_account_id =111122223333sso_role_name =SampleRoleregion = us-east-1output = json[sso-session my-sso]sso_region = us-east-1sso_start_url =https://provided-domain.awsapps.com/startsso_registration_scopes = sso:account:access
For more details about the settings used in the SSO token provider configuration, seeSSO token provider configuration in the AWS SDKs and Tools Reference Guide.
If your development environment is not set up for programmatic access as previously shown, followStep 2 in the SDKs Reference Guide.
2. Sign in using the AWS CLI
Before running an application that accesses AWS services, you need an active AWS access portal session in order for the SDK to use IAM Identity Center authentication to resolve credentials. Run the following command in the AWS CLI to sign in to the AWS access portal.
aws sso loginSince you have a default profile setup, you do not need to call the command with a--profile option. If your SSO token provider configuration is using a named profile, the command isaws sso login --profile.named-profile
To test if you already have an active session, run the following AWS CLI command.
aws sts get-caller-identityThe response to this command should report the IAM Identity Center account and permission set configured in the sharedconfig file.
If you already have an active AWS access portal session and runaws sso login, you will not be required to provide credentials.
However, you will see a dialog that requests permission forbotocore to access your information.botocore is the foundation for the AWS CLI .
SelectAllow to authorize access to your information for the AWS CLI and SDK for Java.
Additional authentication options
For more options on authentication for the SDK, such as the use of profiles and environment variables, see theconfiguration chapter in the AWS SDKs and Tools Reference Guide.
