1

I'm using spring-cloud-aws-messaging to be able to easily confirm SNS topic subscription and receive notification through an HTTPS endpoint in my service.

@NotificationSubscriptionMapping
public void confirmSubscription(final NotificationStatus status) {}

For that specific process, aws credentials shouldn't be necessary, the flow is validated through a certificate validation between SNS request to my service and a call to the provided URL matching the certificate's signature, but still when SNS tries to confirm the subscription I get:

com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))

Is there a way to go around it?

Here we can find an example of someone that could do it using the .NET aws-sdk directly:

Use AWS SDK without credentials to confirm a SNS subscription --> No RegionEndpoint or ServiceURL configured

So it's probably possible to do it in java with the SDK directly but I still wonder if with spring-cloud-aws it's possible.

I appreciate a lot any help, Cheers!

Yuri Padilha
  • 11
  • 5
  • A bit of a hack, but you can set dummy values for the creds. Won't matter if it doesn't actually call the aws api. – jordanm Oct 29 '21 at 21:55
  • Hey @jordanm, yea I tried to use dummy creds but now I'm getting ```com.amazonaws.services.sns.model.AmazonSNSException: The security token included in the request is invalid. (Service: AmazonSNS; Status Code: 403; Error Code: InvalidClientTokenId```. It seems I really need valid credentials. I wonder if I can create an IAM user with no permissions at all and generate the credentials from it, I'm gonna give it a try – Yuri Padilha Nov 02 '21 at 13:46
  • It will need permission for something because it does appear to be sending a request. If you setup the IAM user without a policy and still get an access denied, you will just need to create a policy with the relevant SNS permission. – jordanm Nov 02 '21 at 16:40
  • Yea, good point, I'll definitely need some SNS permissions, that's the direction I'll be going for. It's pretty frustrating that there's no way for the lib to use `subscribeUrl` directly and avoid asking for the credentials – Yuri Padilha Nov 02 '21 at 17:12

0 Answers0