How to use java to access dynamodb without access credential on an ec2 instance with IAM role

Question

I want to use Java to access Dynamodb on an Ec2 instance. This Ec2 instance has been granted an IAM role, with which I can directly access the Dynamodb by using aws CLI: aws dynamodb list-table. Now I try to access the Dynamodb via Java. The Java code should be able to assume the role, but it didn't work.

public static void main(String[] args) throws Exception {

    String ROLE_ARN = "arn:aws:iam::....";

    AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient();

    AssumeRoleRequest assumeRequest = new AssumeRoleRequest()

        .withRoleArn(ROLE_ARN)

        .withDurationSeconds(3600)

        .withRoleSessionName("demo");

    AssumeRoleResult assumeResult = stsClient.assumeRole(assumeRequest);

    BasicSessionCredentials temporaryCredentials = new BasicSessionCredentials(

                assumeResult.getCredentials().getAccessKeyId(),

                assumeResult.getCredentials().getSecretAccessKey(),

                assumeResult.getCredentials().getSessionToken());

    AmazonDynamoDBClient client = new AmazonDynamoDBClient(temporaryCredentials)

    DynamoDB dynamoDB = new DynamoDB(client);

    TableCollection<ListTablesResult> tables = dynamoDB.listTables();

    Iterator<Table> iterator_t = tables.iterator();

    System.out.println("Listing table names");

    while (iterator_t.hasNext()) {

        Table table = iterator_t.next();

        System.out.println(table.getTableName());

    }

}

When I ran the code on the ec2 instance, I got

Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Not authorized to perform sts:AssumeRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 60313562-d462-11e6-a116-5bf8bb6a59ce)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1586)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1254)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1035)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:747)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:721)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:704)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:672)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:654)

    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:518)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1188)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1164)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:419)

    at com.spokeo.dynamo_elas.AccessAwsD.main(AccessAwsD.java:stsClient.assumeRole(assumeRequest))

Does anybody know how to solve this problem?

Answer 1

This is the solution:

AWSCredentialsProvider provider = new InstanceProfileCredentialsProvider();

AWSCredentials credential = provider.getCredentials();

AmazonDynamoDBClient client = new AmazonDynamoDBClient(credential);

    client.setRegion(Region.getRegion(Regions.US_WEST_2));

DynamoDB dynamoDB = new DynamoDB(client);

TableCollection<ListTablesResult> tables = dynamoDB.listTables();

The pom.xml file has to be modified to avoid conflicts

    <dependency>

        <groupId>org.apache.httpcomponents</groupId>

        <artifactId>httpclient</artifactId>

        <version>4.5.2</version>

    </dependency>

    <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind -->

    <dependency>

        <groupId>com.fasterxml.jackson.core</groupId>

        <artifactId>jackson-databind</artifactId>

        <version>2.8.5</version>

    </dependency>

    <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-cbor -->

    <dependency>

        <groupId>com.fasterxml.jackson.dataformat</groupId>

        <artifactId>jackson-dataformat-cbor</artifactId>

        <version>2.8.5</version>

    </dependency>