Testing AWS Clients with IAM AssumeRole Credentials in Scala¶
This technique is meant to be used with IntelliJ Scala worksheets or similar scratch code, so you
can test clients and validate their behavior. Don't check-in secrets – use on-instance credentials
with the DefaultAWSCredentialsProviderChain in production code.
import com.amazonaws.auth.AWSStaticCredentialsProvider
import com.amazonaws.auth.BasicSessionCredentials
import com.amazonaws.regions.Regions
import com.amazonaws.services.autoscaling.AmazonAutoScalingClientBuilder
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest
// config values
val accessKeyId = ""
val secretAccessKey = ""
val token = ""
val role: Option[String] = None
val accountId = ""
val region = Regions.US_WEST_1
// client configuration
val staticProvider = {
role.fold {
val basic = new BasicSessionCredentials(accessKeyId, secretAccessKey, token)
new AWSStaticCredentialsProvider(basic)
} { role =>
val instanceProvider = {
val basic = new BasicSessionCredentials(accessKeyId, secretAccessKey, token)
new AWSStaticCredentialsProvider(basic)
}
val stsClient = AWSSecurityTokenServiceClientBuilder
.standard()
.withCredentials(instanceProvider)
.withRegion(region)
.build()
val req = new AssumeRoleRequest()
.withRoleSessionName(s"$role-testing")
.withRoleArn(s"arn:aws:iam::$accountId:role/$role")
val assumedCreds = stsClient.assumeRole(req).getCredentials
val basic = new BasicSessionCredentials(
assumedCreds.getAccessKeyId,
assumedCreds.getSecretAccessKey,
assumedCreds.getSessionToken
)
new AWSStaticCredentialsProvider(basic)
}
}
val client = AmazonAutoScalingClientBuilder
.standard()
.withCredentials(staticProvider)
.withRegion(region)
.build()