1

我有一个在框架内运行的应用程序。该框架不允许 FILE IO 并抛出各种安全异常来杀死我的应用程序。

我可以通过系统属性传递 accessKeyId 和 secretAccessKey 并且它们被正确传递。

我遇到的问题是,无论我做什么,AWS SDK 中的默认设置总是首先尝试通过文件 IO 获取凭证(寻找它的 ~/.aws/credentials),从而杀死一切。

反正有没有禁止该文件尝试?或者另一种方式来做到这一点?

我正在使用 aws java SDK2。奇怪的是 SDK1 似乎工作正常,但是太大了,因为它不能像 SDK2 那样分解成模块。

        private SqsClient initialiseClient() {
        System.out.println(System.getProperty("aws.accessKeyId")); // this works
        System.out.println(System.getProperty("aws.secretAccessKey"));  // this works

        return SqsClient.builder()
                .credentialsProvider(SystemPropertyCredentialsProvider.create())
                .region(Region.EU_WEST_1)
                .build());
        }

堆栈跟踪:

    Exception in thread "Thread-28" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\username\.aws\credentials" "read")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at sun.nio.fs.WindowsPath.checkRead(WindowsPath.java:792)
    at sun.nio.fs.WindowsFileAttributeViews$Basic.readAttributes(WindowsFileAttributeViews.java:49)
    at sun.nio.fs.WindowsFileAttributeViews$Basic.readAttributes(WindowsFileAttributeViews.java:38)
    at sun.nio.fs.WindowsFileSystemProvider.readAttributes(WindowsFileSystemProvider.java:193)
    at java.nio.file.Files.readAttributes(Files.java:1737)
    at java.nio.file.Files.isRegularFile(Files.java:2229)
    at software.amazon.awssdk.profiles.ProfileFileLocation.lambda$resolveIfExists$1(ProfileFileLocation.java:128)
    at java.util.Optional.filter(Optional.java:178)
    at software.amazon.awssdk.profiles.ProfileFileLocation.resolveIfExists(ProfileFileLocation.java:128)
    at software.amazon.awssdk.profiles.ProfileFileLocation.credentialsFileLocation(ProfileFileLocation.java:78)
    at software.amazon.awssdk.profiles.ProfileFile.addCredentialsFile(ProfileFile.java:138)
    at software.amazon.awssdk.utils.builder.SdkBuilder.applyMutation(SdkBuilder.java:61)
    at software.amazon.awssdk.profiles.ProfileFile.defaultProfileFile(ProfileFile.java:90)
    at software.amazon.awssdk.core.client.builder.SdkDefaultClientBuilder.mergeGlobalDefaults(SdkDefaultClientBuilder.java:196)
    at software.amazon.awssdk.core.client.builder.SdkDefaultClientBuilder.syncClientConfiguration(SdkDefaultClientBuilder.java:149)
    at software.amazon.awssdk.services.sqs.DefaultSqsClientBuilder.buildClient(DefaultSqsClientBuilder.java:27)
    at software.amazon.awssdk.services.sqs.DefaultSqsClientBuilder.buildClient(DefaultSqsClientBuilder.java:22)
    at software.amazon.awssdk.core.client.builder.SdkDefaultClientBuilder.build(SdkDefaultClientBuilder.java:124)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.lambda$initialiseClient$0(QMessageHandlerV2.java:66)
    at java.security.AccessController.doPrivileged(Native Method)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.initialiseClient(QMessageHandlerV2.java:63)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.connect(QMessageHandlerV2.java:52)
    at net.something.fdDataExchange.messageHandlers.QMessageHandlerV2.<init>(QMessageHandlerV2.java:47)
    at net.something.fdDataExchange.MessageHandler.receiveDirectMsg(MessageHandler.java:28)
    at net.something.fdDataExchange.commandProcessors.QCommandProcessor.run(QCommandProcessor.java:19)
    at java.lang.Thread.run(Thread.java:748)
4

1 回答 1

1

您可以尝试实现自定义提供程序,而不是使用系统凭据提供程序。这是一个连接到 S3 的小示例,但它适用于 AWS 的任何服务。这是供您参考的链接: https ://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

BasicAWSCredentials awsCreds = new BasicAWSCredentials("access_key_id", "secret_key_id");
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                        .withCredentials(new AWSStaticCredentialsProvider(awsCreds))
                        .build();

对于 SDK2,也许这应该有效:

向 AWS 客户端显式提供凭证

实例化提供 AwsCredentials 接口的类,例如 AwsSessionCredentials。为它提供 AWS 访问密钥和秘密密钥以用于连接。

使用 AwsCredentials 对象创建一个 StaticCredentialsProvider。

使用 StaticCredentialsProvider 配置客户端构建器并构建客户端。

以下示例创建一个使用您提供的凭据的新服务客户端:

AwsSessionCredentials awsCreds = AwsSessionCredentials.create(
    "your_access_key_id_here",
    "your_secret_key_id_here",
    "your_session_token_here");

S3Client s32 = S3Client.builder()
                       .credentialsProvider(StaticCredentialsProvider.create(awsCreds))
                       .build();

来源:https ://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html

希望能帮助到你!

于 2020-04-10T18:21:46.683 回答