To Use Amazon Web Services, you must supply AWS credentials to the AWS SDK for Java. 

There 3 ways to load the aws credentials.

 1). Default credential provider chain (recommended) 

 2). Use a specific credential provider or provider chain 

 3). Apply the credentials yourself. These can be root account credentials, IAM credentials, or temporary credentials retrieved from AWS STS.

Table of Content :


Default Credential Provider Chain

For this AWS SDK for Java attempts to find AWS credentials by using the default credential provider chain implemented by the DefaultAWSCredentialsProviderChain, which has syntax like

For loading credentials for AmazonS3Client
public static AmazonS3 amazonS3Client() { return AmazonS3ClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).withRegion(Regions.AP_SOUTH_1).build(); } For loading credentials for AmazonSNS public static AmazonSNS amazonSNS() { return AmazonSNSClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).withRegion(Regions.AP_SOUTH_1).build(); }

Here is Constructor for DefaultAWSCredentialsProviderChain

public DefaultAWSCredentialsProviderChain() {
super(new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(), new ProfileCredentialsProvider(), new EC2ContainerCredentialsProviderWrapper()); }

The default credential provider chain looks for credentials in the following order:

1). Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials. 

 2). Java system properties–aws.accessKeyId and aws.secretKey. The AWS SDK for Java uses the SystemPropertiesCredentialsProvider to load these credentials.

 3). The default credential profiles file– typically located at ~/.aws/credentials c(location can vary per platform), and shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials. In our case OS is Ubuntu so its location is; /home/devuser/.aws/credentials

[default]
aws_access_key_id = YourAwsAccessKeyId aws_secret_access_key = YourAwsSecretAccessKey region = yourAwsRegion

4). You can create a credentials file by using the aws configure command provided by the AWS CLI, or you can create it by editing the file with a text editor. For information about the credentials file format, see AWS Credentials File Format.

 5). Amazon ECS container credentials– loaded from the Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials. You can specify the IP address for this value. 6). Web Identity Token credentials from the environment or container.


Setting AWS Credentials

Setting your credentials for use by the AWS SDK for Java can be done in a number of ways, but here are the recommended approaches:

 1). Set credentials in the AWS credentials profile file on your local system, located at: ~/.aws/credentials on Linux, macOS C:\Users\USERNAME\.aws\credentials on Windows This file should contain lines in the following format:

[default]
aws_access_key_id = YourAwsAccessKeyId aws_secret_access_key = YourAwsSecretAccessKey region = yourAwsRegion

Substitute your own AWS credentials values for the values YourAwsAccessKeyId and YourAwsSecretAccessKey.

2). Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. To set these variables on Linux, or  macOS, use export :

export AWS_ACCESS_KEY_ID = YourAwsAccessKeyId
export AWS_SECRET_ACCESS_KEY = YourAwsSecretAccessKey export AWS_REGION = yourAwsRegion

On Windows, use set :

export AWS_ACCESS_KEY_ID = YourAwsAccessKeyId
export AWS_SECRET_ACCESS_KEY = YourAwsSecretAccessKey set AWS_REGION = yourAwsRegion

Once you have set your AWS credentials using one of these methods, they will be loaded automatically by the AWS SDK for Java by using the default credential provider chain.

Setting an Alternate Credentials File Location

The AWS SDK for Java loads AWS credentials automatically from the default credentials file location. However, you can also specify the location by setting the AWS_CREDENTIAL_PROFILES_FILE environment variable with the full path to the credentials file.


To override the default credentials file location

Set the AWS_CREDENTIAL_PROFILES_FILE environment variable to the location of your AWS credentials file. On Linux, macOS, use export :

export AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file

On Windows, use set :

set AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file
Setting an Alternate Credentials Profile

The AWS SDK for Java uses the default profile by default, but there are ways to customize which profile is sourced from the credentials file. You can use the AWS Profile environment variable to change the profile loaded by the SDK.

1). On Linux or macOS you would run the following command to change the profile to myProfile.

export AWS_PROFILE="myProfile"

2). On Windows, you would use the following.

set AWS_PROFILE="myProfile"

Setting the AWS_PROFILE environment variable affects credential loading for all officially supported AWS SDKs and Tools (including the AWS CLI and the AWS CLI for PowerShell). To change only the profile for a Java application, you can use the system property aws.profile instead.

 Note: The environment variable takes precedence over the system property.

What is AWS Credentials File Format ?

When you use the AWS configure command to create an AWS credentials file, the command creates a file with the following format.

[default]
aws_access_key_id={YourAwsAccessKeyId} aws_secret_access_key={YourAwsSecretAccessKey} [profile2] aws_access_key_id={YourAwsAccessKeyId} aws_secret_access_key={YourAwsSecretAccessKey}

The profile name is specified in square brackets (for example, [default]), followed by the configurable fields in that profile as key-value pairs. You can have multiple profiles in your credentials file, which can be added or edited using AWS configure --profile PROFILE_NAME to select the profile to configure. You can specify additional fields, such as aws_session_token, metadata_service_timeout, and metadata_service_num_attempts.

Loading Credentials

To do this, you instantiate an AWS Service client without explicitly providing credentials to the builder, as follows.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withRegion(Regions.AP_SOUTH_1) .build();

Specifying a Credential Provider or Provider Chain

You can specify a credential provider that is different from the default credential provider chain by using the client builder. You provide an instance of a credentials provider or provider chain to a client builder that takes an AWSCredentialsProvider interface as input. The following example shows how to use environment credentials specifically.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new EnvironmentVariableCredentialsProvider()) .build();

Explicitly Specifying Credentials 

If the default credential chain or a specific or custom provider or provider chain doesn’t work for your code, you can set credentials that you supply explicitly. If you’ve retrieved temporary credentials using AWS STS, use this method to specify the credentials for AWS access. To explicitly supply credentials to an AWS client

 1). Instantiate a class that provides the AWSCredentials interface, such as BasicAWSCredentials, and supply it with the AWS access key and secret key you will use for the connection. 

 2). Create an AWSStaticCredentialsProvider with the AWSCredentials object. 3). Configure the client builder with the AWSStaticCredentialsProvider and build the client.

BasicAWSCredentials awsCreds = new BasicAWSCredentials("accessKeyId", "secretKeyId");
AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new AWSStaticCredentialsProvider(awsCreds)) .build();

When using temporary credentials obtained from STS, create a BasicSessionCredentials object, passing it the STS-supplied credentials and session token.

BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
session_creds.getAccessKeyId(), session_creds.getSecretAccessKey(), session_creds.getSessionToken()); AmazonS3 s3 = AmazonS3ClientBuilder.standard() .withCredentials(new AWSStaticCredentialsProvider(sessionCredentials)) .build();

Questions/Articles related to Load aws credentials for java sdk

Unable to load AWS credentials from any provider in the chain in Spring Boot


- This error occurrs due to AWS client anable to load the aws credentials() from the follwing ways:

  • Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (RECOMMENDED since they are recognized by all the AWS SDKs and CLI), or AWS_ACCESS_KEY and AWS_SECRET_KEY (only recognized by Java SDK).
  • Java System Properties - aws.accessKeyId and aws.secretKey. or we can provide same properties in eclipse Environment section.
  • Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI Instance profile credentials delivered through the Amazon EC2 metadata service.

We can resolve this error by providind or adding credentials in any given location.

That's it!! We have seen  load AWS credentials for java SDK, also we have seen different ways to load AWS credentials for java SDK.