Trying to use S3 client in my ECS app for uploading files into S3 bucket (let's call it bucket1
),
S3 client is instantiated as follows:
import software.amazon.awssdk.services.s3.S3Client;
private S3Client getClient(){
return S3Client.builder().build();
}
Task definition has been configured to use ecsTaskExecutionRole
as "Task execution role", so I have added the following permissions policy to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
}
]
}
The same permissions policy has been added to ecsInstanceRole
as well.
When I try to upload something, the following exception is dropped:
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(): Profile file contained no credentials for profile 'default': ProfileFile(profiles=[]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
Kind of lost here - am I supposed to specify AWS credentials in the list of environment variables? How to pass credentials otherwise?
By the way, "Task role" has been set to "None", in task definition, if that matters
CodePudding user response:
In your task definition, you should set the task role parameter to the IAM role that you created earlier. This task role is used by the container to access AWS services.
Alternatively, you can use environment variables to create clients as well by setting variables AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html