org.jets3t.service.security

Class AWSEC2IAMSessionCredentials

java.lang.Object

org.jets3t.service.security.ProviderCredentials

org.jets3t.service.security.AWSCredentials

org.jets3t.service.security.AWSSessionCredentials

org.jets3t.service.security.AWSEC2IAMSessionCredentials

public class AWSEC2IAMSessionCredentials
extends AWSSessionCredentials

Class to fetch, re-fetch, and contain the temporary (session-based) Amazon Web Services (AWS) credentials of an Identity and Access Management (IAM) role provided via EC2 instance data.

Field Summary

Fields

Modifier and Type	Field and Description
protected boolean	automaticRefreshEnabled
protected long	automaticRefreshRetryDelaySeconds
protected static java.lang.String	baseCredentialsUrl
protected java.util.Date	expiration
protected java.lang.String	roleName

Fields inherited from class org.jets3t.service.security.AWSSessionCredentials

sessionToken

Fields inherited from class org.jets3t.service.security.ProviderCredentials

accessKey, CREDENTIALS_STORAGE_VERSION, friendlyName, secretKey, V2_KEYS_DELIMITER, V3_KEYS_DELIMITER

Constructor Summary

Constructors

Constructor and Description
AWSEC2IAMSessionCredentials(java.lang.String awsAccessKey, java.lang.String awsSecretAccessKey, java.lang.String sessionToken, java.lang.String roleName, java.util.Date expiration, boolean automaticRefreshEnabled) Construct credentials.

Method Summary

Modifier and Type	Method and Description
java.lang.String	getAccessKey()
java.util.Date	getExpiration()
java.lang.String	getRoleName()
java.lang.String	getSecretKey()
java.lang.String	getSessionToken()
protected java.lang.String	getTypeName()
boolean	isAutomaticRefreshEnabled()
boolean	isNearExpiration()
static AWSEC2IAMSessionCredentials	loadFromEC2InstanceData(boolean automaticRefreshEnabled) Fetch AWS session credentials from EC2 instance data available while using the role name of the current EC2 instance.
static AWSEC2IAMSessionCredentials	loadFromEC2InstanceData(java.lang.String roleName, boolean automaticRefreshEnabled) Fetch AWS session credentials from EC2 instance data available with the given role name.
static AWSEC2IAMSessionCredentials	loadFromEC2InstanceData(java.lang.String urlPrefix, java.lang.String roleName, boolean automaticRefreshEnabled) Fetch AWS session credentials from EC2 instance data available at the given URL prefix (in case you are using a EC2-like service with alternate instance data endpoint) with the given role name.
static AWSEC2IAMSessionCredentials	parseEC2InstanceData(java.lang.String iamRoleData, java.lang.String roleName, boolean automaticRefreshEnabled) Parse AWS session credentials from the IAM role JSON blob returned from a lookup of the EC2 instance data service.
void	refreshFromEC2InstanceData() Fetch IAM role credentials from EC2 instance data and re-populate this object.
void	refreshFromEC2InstanceDataIfNearExpiration() If isAutomaticRefreshEnabled() and isNearExpiration() fetch the latest IAM role credentials from EC2 instance data and re-populate this object (via refreshFromEC2InstanceData().

Methods inherited from class org.jets3t.service.security.AWSCredentials

getVersionPrefix, main

Methods inherited from class org.jets3t.service.security.ProviderCredentials

getDataToEncrypt, getFriendlyName, getLogString, hasFriendlyName, load, load, save, save, save, save

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

baseCredentialsUrl

protected static java.lang.String baseCredentialsUrl

roleName

protected java.lang.String roleName

expiration

protected java.util.Date expiration

automaticRefreshEnabled

protected boolean automaticRefreshEnabled

automaticRefreshRetryDelaySeconds

protected long automaticRefreshRetryDelaySeconds

Constructor Detail

AWSEC2IAMSessionCredentials

public AWSEC2IAMSessionCredentials(java.lang.String awsAccessKey,
                                   java.lang.String awsSecretAccessKey,
                                   java.lang.String sessionToken,
                                   java.lang.String roleName,
                                   java.util.Date expiration,
                                   boolean automaticRefreshEnabled)

Construct credentials.

Parameters:

awsAccessKey - AWS access key for an Amazon S3 account.

awsSecretAccessKey - AWS secret key for an Amazon S3 account.

sessionToken - AWS session token for temporary/session-based account credentials.

roleName - IAM role name from which session credentials were loaded.

expiration - Expiration date of session credentials.

automaticRefreshEnabled - if true, credentials will be automatically refreshed when session token expiration is within 15 minutes

Method Detail

getTypeName

protected java.lang.String getTypeName()

Overrides:

getTypeName in class AWSSessionCredentials

Returns:

string representing this credential type's name (for serialization)

isAutomaticRefreshEnabled

public boolean isAutomaticRefreshEnabled()

Returns:

if true, credentials will be automatically refreshed when session token expiration is within 15 minutes

getSessionToken

public java.lang.String getSessionToken()

Overrides:

getSessionToken in class AWSSessionCredentials

Returns:

The AWS session token for temporary/session-based account credentials.

getAccessKey

public java.lang.String getAccessKey()

Overrides:

getAccessKey in class ProviderCredentials

Returns:

the Access Key.

getSecretKey

public java.lang.String getSecretKey()

Overrides:

getSecretKey in class ProviderCredentials

Returns:

the Secret Key.

getRoleName

public java.lang.String getRoleName()

Returns:

IAM role name from which session credentials were loaded.

getExpiration

public java.util.Date getExpiration()

Returns:

expiration date of session token.

isNearExpiration

public boolean isNearExpiration()

Returns:

true if the expiration date from getExpiration() is 15 minutes or less from the current time.

refreshFromEC2InstanceData

public void refreshFromEC2InstanceData()

Fetch IAM role credentials from EC2 instance data and re-populate this object.

refreshFromEC2InstanceDataIfNearExpiration

public void refreshFromEC2InstanceDataIfNearExpiration()

If isAutomaticRefreshEnabled() and isNearExpiration() fetch the latest IAM role credentials from EC2 instance data and re-populate this object (via refreshFromEC2InstanceData().

loadFromEC2InstanceData

public static AWSEC2IAMSessionCredentials loadFromEC2InstanceData(java.lang.String urlPrefix,
                                                                  java.lang.String roleName,
                                                                  boolean automaticRefreshEnabled)

Fetch AWS session credentials from EC2 instance data available at the given URL prefix (in case you are using a EC2-like service with alternate instance data endpoint) with the given role name.

Parameters:

urlPrefix - URL prefix for EC2 instance data. If you are using plain EC2 you should prefer the simpler loadFromEC2InstanceData(String, boolean) constructor.

roleName - Name of the IAM role provided in the EC2 to supply S3 access credentials

automaticRefreshEnabled - if true, the returned credentials object will automatically refresh the session token and credentials if they are nearly expired

Returns:

populated credentials object

loadFromEC2InstanceData

public static AWSEC2IAMSessionCredentials loadFromEC2InstanceData(java.lang.String roleName,
                                                                  boolean automaticRefreshEnabled)

Fetch AWS session credentials from EC2 instance data available with the given role name. Instance data is expected at the default EC2 endpoint: http://169.254.169.254/latest/meta-data/iam/security-credentials/

Parameters:

roleName - Name of the IAM role provided in the EC2 to supply S3 access credentials

automaticRefreshEnabled - if true, the returned credentials object will automatically refresh the session token and credentials if they are nearly expired

Returns:

populated credentials object

loadFromEC2InstanceData

public static AWSEC2IAMSessionCredentials loadFromEC2InstanceData(boolean automaticRefreshEnabled)

Fetch AWS session credentials from EC2 instance data available while using the role name of the current EC2 instance. Instance data is expected at the default EC2 endpoint: http://169.254.169.254/latest/meta-data/iam/security-credentials/ The role is fetched from: http://169.254.169.254/latest/meta-data/iam/security-credentials/

Parameters:

automaticRefreshEnabled - if true, the returned credentials object will automatically refresh the session token and credentials if they are nearly expired

Returns:

populated credentials object

parseEC2InstanceData

public static AWSEC2IAMSessionCredentials parseEC2InstanceData(java.lang.String iamRoleData,
                                                               java.lang.String roleName,
                                                               boolean automaticRefreshEnabled)
                                                        throws org.codehaus.jackson.JsonProcessingException,
                                                               java.io.IOException,
                                                               java.text.ParseException

Parse AWS session credentials from the IAM role JSON blob returned from a lookup of the EC2 instance data service. NOTE: This method is not intended for general use, it's only public to aid testing.

Parameters:

iamRoleData -

roleName -

automaticRefreshEnabled -

Returns:

populated credentials object

Throws:

org.codehaus.jackson.JsonProcessingException

java.io.IOException

java.text.ParseException