Reference: AWS

http4k-connect provides a standardised mechanism to connect to several AWS services. They all use the same mechanisms for authentication, which is what this page is about.

Auth

Authing into AWS services is possible with a few different mechanisms based on the environmental variables passed to your app. Under the covers, there is a CredentialProvider implementation which is switchable depending on your use-case:

Static AWS AccessKey/Secret authorisation uses:

  • AWS_REGION
  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN

This is the default mechanism, so no special action is required:

val sqs = SQS.Http()

STS authorisation uses:

  • AWS_REGION
  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN

This auth method uses the STS AssumeRole action to retrieve the rotating credentials from STS using auth from the environmental variables. This requires overriding the credentials provider used when constructing the client:

val sqs = SQS.Http(credentialsProvider = CredentialsProvider.STS())

STS WebIdentity authorisation uses:

  • AWS_ROLE_ARN
  • AWS_WEB_IDENTITY_TOKEN_FILE

This auth method uses the STS AssumeRoleWithWebIdentity action to retrieve the rotating credentials from STS using the Web Identity JWT from the file path contained in the env variable. This requires overriding the credentials provider used when constructing the client:

val sqs = SQS.Http(credentialsProvider = CredentialsProvider.STSWebIdentity())