Instance Profile Credentials using Spring Cloud

1. Introduction

In this quick article, we’re going to build a Spring Cloud application that uses instance profile credentials to connect to an S3 bucket.

2. Provisioning Our Cloud Environment

Instance profiles are an AWS feature that allows EC2 instances to connect to other AWS resources with temporary credentials. These credentials are short-lived and are automatically rotated by AWS.

Users can only request temporary credentials from within EC2 instances. However, we can use these credentials from anywhere until they expire.

To get more help specifically on instance profile configuration, check out AWS’s documentation.

2.1. Deployment

First of all, we need an AWS environment that has the appropriate setup.

For the code sample below, we need to stand up an EC2 instance, an S3 bucket, and the appropriate IAM roles. To do this, we can use the CloudFormation template in the code sample or simply stand these resources up on our own.

2.2. Verification

Next, we should make sure our EC2 instance can retrieve instance profile credentials. Replace <InstanceProfileRoleName> with the actual instance profile role name:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<InstanceProfileRoleName>

If everything is setup correctly, then the JSON response will contain AccessKeyId, SecretAccessKey, Token, and Expiration properties.

3. Configuring Spring Cloud

Now, for our sample application. We need to configure Spring Boot to use instance profiles, which we can do in our Spring Boot configuration file:

cloud.aws.credentials.instanceProfile=true

And, that’s it! If this Spring Boot application is deployed in an EC2 instance, then each client will automatically attempt to use instance profile credentials to connect to AWS resources.

This is because Spring Cloud uses the EC2ContainerCredentialsProviderWrapper from the AWS SDK. This will look for credentials in priority order, automatically ending with instance profile credentials if it can’t find any others in the system.

If we need to specify that Spring Cloud only use instance profiles, then we can instantiate our own AmazonS3 instance.

We can configure it with an InstanceProfileCredentialsProvider and publish it as a bean:

@Bean
public AmazonS3 amazonS3() {
    InstanceProfileCredentialsProvider provider
      = new InstanceProfileCredentialsProvider(true);
    return AmazonS3ClientBuilder.standard()
      .withCredentials(provider)
      .build();
}

This will replace the default AmazonS3 instance provided by Spring Cloud.

4. Connecting to Our S3 Bucket

Now, we can connect to our S3 bucket using Spring Cloud as normal, but without needing to configure permanent credentials:

@Component
public class SpringCloudS3Service {

    // other declarations

    @Autowired
    AmazonS3 amazonS3;

    public void createBucket(String bucketName) {
        // log statement
        amazonS3.createBucket(bucketName);
    }
}

Remember that because instance profiles are only issued to EC2 instances, this code only works when running on an EC2 instance.

Of course, we can repeat the process for any AWS service that our EC2 instance connects to, including EC2, SQS, and SNS.

5. Conclusion

In this tutorial, we’ve seen how to use instance profile credentials with Spring Cloud. Also, we created a simple application that connects to an S3 bucket.

As always, the full source can be found over on GitHub.

Leave a Reply

Your email address will not be published.