How to grant AWS programmatic access to thousands of non-EC2 computers, and rotate keys?

My java service will run on my computers (let's say I'll have more than 1000 computers) and will send some data to S3. I use AWS Java SDK for it.

If I'm right, for doing it I need to use access key & secret key on my computers. (let's say it will be in .aws/credential file)

I read a lot of AWS documentation about the best practices for resources programmatic access, but still can't understand it.

1. Rotating access keys. After an access key is rotated, how can I change it in all applications that run my computers? Should my application be self-updated?

2. Temporary credentials. In this approach I still need to have access key & secret key on my computers. If yes, I have the same problem as in Q1.

Can somebody advise me what the best way and secure to programmatically access AWS resources in my situation? What do I need to do with access key & secret key?

Thank you.

UPDATES:

1. Computers are in different networks
2. Java app sends to S3 and also reads from S3
3. New computers can be added every time

The computers will need AWS credentials to talk with S3.

The simplest way is to store the credentials on each computer. However, as you say, it makes it hard to rotate the keys.

Another option is to store the credentials in a database that they can access, so they always get the latest credentials. However, they will need some sort of login to access the database.

Alternatively, you could setup identity federation, so that that the computers can authenticate against something like Active Directory, and then you can write a central service that will provide temporary credentials to each computer.

The process is basically:

• The computers authenticate to AD
• They call your service and prove that they are authenticated to AD
• Your service then calls STS and generates temporary credentials valid for up to 36 hours
• It provides those credentials to the computers

See: GetFederationToken - AWS Security Token Service

AFAIK you need to ensure that your application on computer has up-to-date access key. My recommendation is to store the access key on centralized place from which application will retrieve it. Thus, once you rotate the key and update the centralized storage, it will be reflected in all your application instances.

The AWS Java SDKs use a credential chain. The credential chain just means the SDK will look for credentials in 6 different places in this order:

1. Java system properties–aws.accessKeyId and aws.secretAccessKey. The AWS SDK for Java uses the SystemPropertyCredentialsProvider to load these credentials.
2. Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
3. The default credential profiles file– The specific location of this file can vary per platform, but is typically located at ~/.aws/credentials. This file is shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
4. You can create a credentials file by using the aws configure command provided by the AWS CLI. You can also create it by editing the file with a text editor. For information about the credentials file format, see AWS Credentials File Format.
5. Amazon ECS container credentials– This is loaded from Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials.
6. Instance profile credentials– This is used on Amazon EC2 instances, and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider
   to load these credentials.

https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html