AWS凭证无法进行文件IO操作。

huangapple go评论103阅读模式
英文:

AWS Credentials with No File IO possible

问题

我有一个在框架内运行的应用程序。该框架不允许文件IO,并且会抛出各种安全异常,导致我的应用程序终止。

我可以通过系统属性传递accessKeyId和secretAccessKey,它们被正确传递。

我的问题是,无论我做什么,AWS SDK中的默认设置始终首先尝试通过文件IO获取凭据(查找其~/.aws/credentials),从而导致一切终止。

是否有任何方式可以阻止该文件尝试?或者有其他方法可以做到这一点?

我正在使用AWS Java SDK 2。奇怪的是,SDK 1似乎工作正常,但是太大了,无法像SDK 2一样分成模块。

private SqsClient initialiseClient() {
    System.out.println(System.getProperty("aws.accessKeyId")); // 这个可以工作
    System.out.println(System.getProperty("aws.secretAccessKey"));  // 这个可以工作

    return SqsClient.builder()
            .credentialsProvider(SystemPropertyCredentialsProvider.create())
            .region(Region.EU_WEST_1)
            .build();
}

堆栈跟踪:

Exception in thread "Thread-28" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\username\.aws\credentials" "read")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    ...
英文:

I have an application that runs inside a framework. The framework does not permit FILE IO and throws all kinds of security exceptions killing my application.

I can pass the accessKeyId and secretAccessKey via system properties and they are passed correctly.

The problem I have is that no matter what I do the default in the AWS SDK always tries to get the credentials via File IO first (looking for its ~/.aws/credentials) and thus kills everything.

Is there anyway to inhibit that file attempt ? Or another way to do this ?

I am using aws java SDK2. Weirdly SDK1 seems to work OK but but is too big as it can no be broken into modules like SDK2 can be.

        private SqsClient initialiseClient() {
        System.out.println(System.getProperty("aws.accessKeyId")); // this works
        System.out.println(System.getProperty("aws.secretAccessKey"));  // this works

        return SqsClient.builder()
                .credentialsProvider(SystemPropertyCredentialsProvider.create())
                .region(Region.EU_WEST_1)
                .build());
        }

Stack Trace:

    Exception in thread "Thread-28" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\username\.aws\credentials" "read")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at sun.nio.fs.WindowsPath.checkRead(WindowsPath.java:792)
    at sun.nio.fs.WindowsFileAttributeViews$Basic.readAttributes(WindowsFileAttributeViews.java:49)
    at sun.nio.fs.WindowsFileAttributeViews$Basic.readAttributes(WindowsFileAttributeViews.java:38)
    at sun.nio.fs.WindowsFileSystemProvider.readAttributes(WindowsFileSystemProvider.java:193)
    at java.nio.file.Files.readAttributes(Files.java:1737)
    at java.nio.file.Files.isRegularFile(Files.java:2229)
    at software.amazon.awssdk.profiles.ProfileFileLocation.lambda$resolveIfExists$1(ProfileFileLocation.java:128)
    at java.util.Optional.filter(Optional.java:178)
    at software.amazon.awssdk.profiles.ProfileFileLocation.resolveIfExists(ProfileFileLocation.java:128)
    at software.amazon.awssdk.profiles.ProfileFileLocation.credentialsFileLocation(ProfileFileLocation.java:78)
    at software.amazon.awssdk.profiles.ProfileFile.addCredentialsFile(ProfileFile.java:138)
    at software.amazon.awssdk.utils.builder.SdkBuilder.applyMutation(SdkBuilder.java:61)
    at software.amazon.awssdk.profiles.ProfileFile.defaultProfileFile(ProfileFile.java:90)
    at software.amazon.awssdk.core.client.builder.SdkDefaultClientBuilder.mergeGlobalDefaults(SdkDefaultClientBuilder.java:196)
    at software.amazon.awssdk.core.client.builder.SdkDefaultClientBuilder.syncClientConfiguration(SdkDefaultClientBuilder.java:149)
    at software.amazon.awssdk.services.sqs.DefaultSqsClientBuilder.buildClient(DefaultSqsClientBuilder.java:27)
    at software.amazon.awssdk.services.sqs.DefaultSqsClientBuilder.buildClient(DefaultSqsClientBuilder.java:22)
    at software.amazon.awssdk.core.client.builder.SdkDefaultClientBuilder.build(SdkDefaultClientBuilder.java:124)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.lambda$initialiseClient$0(QMessageHandlerV2.java:66)
    at java.security.AccessController.doPrivileged(Native Method)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.initialiseClient(QMessageHandlerV2.java:63)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.connect(QMessageHandlerV2.java:52)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.<init>(QMessageHandlerV2.java:47)
    at net.something.fdDataExchange.MessageHandler.receiveDirectMsg(MessageHandler.java:28)
    at net.something.fdDataExchange.commandProcessors.QCommandProcessor.run(QCommandProcessor.java:19)
    at java.lang.Thread.run(Thread.java:748)

答案1

得分: 1

你可以尝试实现一个自定义提供程序,而不是使用系统凭证提供程序。

这里有一个连接到S3的小例子,但同样适用于AWS的任何服务。以下是参考链接:
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

BasicAWSCredentials awsCreds = new BasicAWSCredentials("access_key_id", "secret_key_id");
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                            .withCredentials(new AWSStaticCredentialsProvider(awsCreds))
                            .build();

对于SDK2,也许这样可以工作:

为AWS客户端明确提供凭证

实例化一个提供AwsCredentials接口的类,比如AwsSessionCredentials。将AWS访问密钥和密钥提供给它,用于连接。

使用AwsCredentials对象创建一个StaticCredentialsProvider。

使用StaticCredentialsProvider配置客户端构建器,然后构建客户端。

以下示例创建一个使用您提供的凭证的新服务客户端:

AwsSessionCredentials awsCreds = AwsSessionCredentials.create(
    "your_access_key_id_here",
    "your_secret_key_id_here",
    "your_session_token_here");

S3Client s32 = S3Client.builder()
                       .credentialsProvider(StaticCredentialsProvider.create(awsCreds))
                       .build();

来源:https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html

希望对您有所帮助!

英文:

You can try to implement a custom provider instead of using the system credential provider.
Here is a small example to connect to S3 but it holds for any service for AWS. And here is the link for your reference:
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

BasicAWSCredentials awsCreds = new BasicAWSCredentials("access_key_id", "secret_key_id");
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                        .withCredentials(new AWSStaticCredentialsProvider(awsCreds))
                        .build();

For SDK2 maybe this should work:

To explicitly supply credentials to an AWS client

Instantiate a class that provides the AwsCredentials interface, such as AwsSessionCredentials. Supply it with the AWS access key and secret key to use for the connection.

Create an StaticCredentialsProvider with the AwsCredentials object.

Configure the client builder with the StaticCredentialsProvider and build the client.

The following example creates a new service client that uses credentials that you supplied:

AwsSessionCredentials awsCreds = AwsSessionCredentials.create(
    "your_access_key_id_here",
    "your_secret_key_id_here",
    "your_session_token_here");

S3Client s32 = S3Client.builder()
                       .credentialsProvider(StaticCredentialsProvider.create(awsCreds))
                       .build();

Source: https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html

Hope it helps!

huangapple
  • 本文由 发表于 2020年4月11日 01:49:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/61145792.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定