Connect to Timestream from IKS(EC2) with AssumeRole

[guillermoMartin96]

We are currently trying to use the AWS SDK to get a TimestreamWriteClient to write some entries into timestream from our java app.

We were connecting using IAM secret access key and access key, but we want to move away from this and use IAM Role

I have tried using this example to do so: https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/sts/src/main/java/com/example/sts/AssumeRole.java

However I receive this error when I deploy: Profile file contained no credentials for profile 'default': ProfileFile(profiles=[])

In our services home directory I have added the .aws/credentials file, but we still receive this error.

Not sure if there is another solution to connect to TimestreamWriteClient with IAMRole, or if I am missing something in our current approach. Any help is appreciated, thank you.

[guillermoMartin96]

return TimestreamWriteClient.builder()
.credentialsProvider(getAwsCredentialsProvider(idpsSecrets))
.httpClientBuilder(httpClientBuilder)
.overrideConfiguration(overrideConfig.build())
.region(Region.US_WEST_2)
.build();

private static AwsCredentialsProvider getAwsCredentialsProvider(Map<String, String> idpsSecrets) {

    StsClient stsClient = StsClient.builder()
            .region(Region.US_WEST_2)
            .credentialsProvider(ProfileCredentialsProvider.create())
            .build();

    final String roleArn = idpsSecrets.get("timeStreamRoleArn");
    final String roleSessionName = "IxpFFStreamTimeStreamSession";
    String[] roleAccessKeyIdAndSecretAccessKey = assumeGivenRole(stsClient, roleArn, roleSessionName, idpsSecrets);

    final String accessKeyId = roleAccessKeyIdAndSecretAccessKey[ACCESS_KEY_INDEX];
    final String secretAccessKey = roleAccessKeyIdAndSecretAccessKey[SECRET_ACCESS_KEY_INDEX];
    final AwsCredentials awsCredentials = AwsBasicCredentials.create(accessKeyId,secretAccessKey);
    return StaticCredentialsProvider.create(awsCredentials);

}

public static String[] assumeGivenRole(StsClient stsClient, String roleArn, String roleSessionName, Map<String, String> idpsSecrets) {

    String[] roleAccessKeyIdAndSecretAccessKey = new String[2];
    try {
        AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                .roleArn(roleArn)
                .roleSessionName(roleSessionName)
                .build();

        AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
        Credentials myCreds = roleResponse.credentials();


        // Display the time when the temp creds expire.
        Instant exTime = myCreds.expiration();
        String tokenInfo = myCreds.sessionToken();

        // Convert the Instant to readable date.
        DateTimeFormatter formatter =
                DateTimeFormatter.ofLocalizedDateTime( FormatStyle.SHORT )
                        .withLocale( Locale.US)
                        .withZone( ZoneId.systemDefault() );

        formatter.format( exTime );
        System.out.println("The token "+tokenInfo + "  expires on " + exTime );
        roleAccessKeyIdAndSecretAccessKey[ACCESS_KEY_INDEX] = myCreds.accessKeyId();
        roleAccessKeyIdAndSecretAccessKey[SECRET_ACCESS_KEY_INDEX] = myCreds.secretAccessKey();


    } catch (StsException e) {
        log.error("event=ASSUME_ROLE_ERROR, exception={}", e.getMessage());
        roleAccessKeyIdAndSecretAccessKey[ACCESS_KEY_INDEX] = idpsSecrets.get("timeStreamAccessKeyId");
        roleAccessKeyIdAndSecretAccessKey[SECRET_ACCESS_KEY_INDEX]= idpsSecrets.get("timeStreamSecretAccessKey");
    }
    return roleAccessKeyIdAndSecretAccessKey;

[indrora]

It looks like you're trying to start an EC2 instance then make it call iam:AssumeRole, is that correct? In order to AssumeRole, you must have credentials that allow you to take that role in the first place.

If you're starting an EC2 instance, you can shortcut that and have EC2 start the instance with that role already. Information on this is available in the EC2 documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

For information on using EKS with IAM roles and permissions, see the documentation: https://docs.aws.amazon.com/eks/latest/userguide/security-iam.html

[guillermoMartin96]

The issue is with the TimestreamWriteClient which takes in a credentials Provider to initialize. We want to initialize this with IAMRole. It does not accept InstanceProfileCredentialsProvider here.

[indrora]

To understand clearer: You need your EC2 instance to use a different role to talk to Timestream? (That is, you're launching the EC2 instance with credential set A, and need to interact with TimeStream using credential set B)?

[guillermoMartin96]

Well this is through Kubernetes, so our namespace has an ARN associated with it that we want to use to assume role in aws that has access to timestream. Not sure if the EC2 instances have their own unique ARNs.