我们不断将消息发布到不同 aws 帐户中的 Kinesis 流。所以我们将做一个假设角色 api 请求来获取短期凭证来发布消息。STSAssumeRoleSessionCredentialsProvider 能够定期刷新凭证。
我们的 Spring bean 配置如下。AmazonKinesisAsync 需要一个 AWSCredentialsProvider。因此,如果我将 STSAssumeRoleSessionCredentialsProvider 定义为 Spring bean 并将其设置在类似下面的 AmazonKinesisAsync bean 中,我是否可以期望凭证在过期后得到刷新?或者我还有什么需要照顾的吗?
@Bean
public AWSCredentialsProvider roleCredentialsProvider(String roleArn, String roleSessionName) {
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard().withRegion("us-east-1").build();
STSAssumeRoleSessionCredentialsProvider.Builder builder = new STSAssumeRoleSessionCredentialsProvider.Builder("role-arn", "role-session");
builder.withRoleSessionDurationSeconds(900).withExternalId("externalId").withStsClient(stsClient);
return builder.build();
}
@Bean
public AmazonKinesisAsync amazonKinesis(final AWSCredentialsProvider credProvider) {
AmazonKinesisAsyncClientBuilder amazonKinesisAsyncClientBuilder = AmazonKinesisAsyncClientBuilder.standard();
amazonKinesisAsyncClientBuilder.withRegion("us-east-1").withClientConfiguration(new ClientConfiguration().withMaxErrorRetry(0).withConnectionTimeout(1000)).withCredentials(credProvider);
return amazonKinesisAsyncClientBuilder.build();
}
@Bean(name = "kinesisMessageHandler")
public MessageHandler kinesisMessageHandler(final AmazonKinesisAsync amazonKinesis,
@Qualifier("successChannel") MessageChannel successChannel,
@Qualifier("errorChannel") MessageChannel errorChannel) {
KinesisMessageHandler kinesisMessageHandler = new KinesisMessageHandler(amazonKinesis);
kinesisMessageHandler.setSync(false);
kinesisMessageHandler.setOutputChannel(successChannel);
kinesisMessageHandler.setFailureChannel(errorChannel);
return kinesisMessageHandler;
}