I have java code running in fargate cluster, I need to access other aws services from within the java code using aws sdk. Right now I have hard-coded access/secret/token inside java class and it is working fine.
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(accessKey, secretAccessKey, token);
Since I am running java code from within the same aws account, so is there a better way so that i don't have to hard code credentials ?
Yes, you can always assign task role to your task. The SDK will then automatically figure out the credentials and use them when making requests.
The trust policy would look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Then you need to specify the policy document. With this in place the SDK will figure out the reset. You can find more information in AWS documentation here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
I got it working by using DefaultAWSCredentialsProviderChain.java while building target service client. Along with that I added permissions for target service in the role attached to calling service. For example - If code running inside ECS tasks needs to call SSM service, add permissions to role attached to ECS tasks to perform actions on SSM and from code instead of hard coding credentials use below mentioned code:
AWSSimpleSystemsManagement awsSimpleSystemsManagement = AWSSimpleSystemsManagementClient.builder()
.withCredentials(new DefaultAWSCredentialsProviderChain());