[ENG-3808] Add aws auth login

[fangpenlin]

ref: https://linear.app/infisical/issue/ENG-3808/aws-auth-method-support-in-java-sdk

Steps to test it:

1. Create a role in AWS IAM
2. Create an identity in your local Infisical to auth with the newly created IAM role
3. Launch an AWS ec2 instance with the IAM role
4. SSH into the ec2 instance with a 8080 port forwarding from the ec2 host to your local host like ssh -R 8080:localhost:8080 ec2-user@EC2HOSTNAME
5. Make a JAR with simple main func for secret looking up, like this

package com.infisical.sdk;

import com.infisical.sdk.auth.AwsAuthProvider;
import com.infisical.sdk.config.SdkConfig;
import com.infisical.sdk.util.InfisicalException;

public class RetrieveEC2Credentials {
  public static void main(String[] args) throws InfisicalException {
    var sdk =
        new InfisicalSdk(
            new SdkConfig.Builder()
                // Optional, will default to https://app.infisical.com
                .withSiteUrl("http://localhost:8080")
                .build());

    sdk.Auth()
        .AwsAuthLogin(
            AwsAuthProvider.builder()
                .build()
                .fromInstanceProfile()
                .toLoginInput("361bda71-9a9b-4634-9206-0cbaab646799"));

    var secret =
        sdk.Secrets()
            .GetSecret(
                "foobar",
                "2e008a0e-45c4-45d6-98cc-485e22f2424e",
                "dev",
                "/",
                null, // Expand Secret References (boolean, optional)
                null, // Include Imports (boolean, optional)
                null // Secret Type (shared/personal, defaults to shared, optional)
                );

    System.out.println(secret);
  }
}

6. Package the JAR (fat JAR with all deps) and then use scp to upload it to the ec2 instance
7. Install Java on the ec2 instance and run the main in jar file like: java -jar sdk-3.0.0.jar -cp com.infisical.sdk.RetrieveEC2Credentials
8. Verify the secret is retrieved

[greptile-apps]

Greptile Overview

Summary

This PR implements AWS authentication support for the Infisical Java SDK, allowing users to authenticate using AWS credentials (explicit credentials or instance profile) through IAM-based authentication mechanisms. The implementation follows AWS SigV4 signing protocols to create properly signed STS GetCallerIdentity requests that can be verified by Infisical's backend.

The changes introduce several key components:

1. AwsAuthProvider - The core authentication provider that handles AWS credential signing using AWS SDK v2, creates signed STS requests, and properly encodes request parameters with Base64 encoding
2. AwsAuthParameters - A data transfer object that wraps the AWS authentication parameters and provides conversion to the API input model
3. AwsAuthLoginInput - The API input model containing the signed IAM request components (method, headers, body) along with identity validation
4. AuthClient extension - Adds the new AwsAuthLogin method following the same pattern as existing LDAP authentication

The implementation maintains consistency with existing authentication methods in the codebase, using the same validation patterns, error handling approaches, and architectural design. New dependencies were added including AWS SDK auth, Jackson core for JSON processing, and upgraded Lombok version. The code includes comprehensive test coverage with deterministic testing capabilities through timestamp overrides.

Important Files Changed

Changed Files

Filename	Score	Overview
pom.xml	2/5	Added AWS SDK dependencies and upgraded Lombok but has version conflicts and duplicate SLF4J dependencies
src/main/java/com/infisical/sdk/auth/AwsAuthProvider.java	4/5	Core AWS authentication provider implementing SigV4 signing with proper security practices
src/main/java/com/infisical/sdk/models/AwsAuthParameters.java	5/5	Simple data transfer object for AWS auth parameters with clean conversion method
src/main/java/com/infisical/sdk/resources/AuthClient.java	4/5	Added AWS authentication method following existing patterns consistently
src/test/java/com/infisical/sdk/auth/AwsAuthProviderTest.java	4/5	Comprehensive test coverage for AWS authentication with deterministic validation
src/main/java/com/infisical/sdk/models/AwsAuthLoginInput.java	5/5	API input model with proper validation following established patterns

Confidence score: 3/5

• This PR introduces substantial new functionality with minimal risk to existing code but has dependency management issues that need resolution
• Score reflects well-structured AWS authentication implementation following established patterns, but lowered due to Maven dependency conflicts that could cause runtime issues
• Pay close attention to pom.xml for version conflicts and duplicate dependencies that need to be resolved before merge

Sequence Diagram

sequenceDiagram
    participant User
    participant AwsAuthProvider
    participant AwsV4HttpSigner
    participant InstanceProfileCredentialsProvider
    participant AuthClient
    participant ApiClient
    participant InfisicalAPI as "Infisical API"

    User->>AwsAuthProvider: "fromCredentials(region, credentials, sessionToken)"
    AwsAuthProvider->>AwsV4HttpSigner: "create()"
    AwsAuthProvider->>AwsAuthProvider: "encodeParameters(params)"
    AwsAuthProvider->>AwsV4HttpSigner: "sign(signingRequest)"
    AwsV4HttpSigner-->>AwsAuthProvider: "signedRequest"
    AwsAuthProvider->>AwsAuthProvider: "Base64.encode(requestHeaders)"
    AwsAuthProvider->>AwsAuthProvider: "Base64.encode(requestBody)"
    AwsAuthProvider-->>User: "AwsAuthParameters"

    alt Instance Profile Authentication
        User->>AwsAuthProvider: "fromInstanceProfile()"
        AwsAuthProvider->>InstanceProfileCredentialsProvider: "create()"
        AwsAuthProvider->>InstanceProfileCredentialsProvider: "resolveCredentials()"
        InstanceProfileCredentialsProvider-->>AwsAuthProvider: "AwsSessionCredentials"
        AwsAuthProvider->>AwsAuthProvider: "fromCredentials(region, credentials, sessionToken)"
        AwsAuthProvider-->>User: "AwsAuthParameters"
    end

    User->>AwsAuthParameters: "toLoginInput(identityId)"
    AwsAuthParameters-->>User: "AwsAuthLoginInput"

    User->>AuthClient: "AwsAuthLogin(AwsAuthLoginInput)"
    AuthClient->>AwsAuthLoginInput: "validate()"
    AwsAuthLoginInput-->>AuthClient: "validation result"
    AuthClient->>ApiClient: "post(url, input, MachineIdentityCredential.class)"
    ApiClient->>InfisicalAPI: "POST /api/v1/auth/aws-auth/login"
    InfisicalAPI-->>ApiClient: "MachineIdentityCredential"
    ApiClient-->>AuthClient: "credential"
    AuthClient->>AuthClient: "onAuthenticate.accept(accessToken)"
    AuthClient-->>User: "authentication complete"

Loading

Additional Comments (1)

1. pom.xml, line 166 (link)

   syntax: Lombok version mismatch - annotation processor uses 1.18.30 but dependency uses 1.18.42. This could cause compilation issues.

_{6 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[DanielHougaard]

    sdk.Auth()
        .AwsAuthLogin(
            AwsAuthProvider.builder()
                .build()
                .fromInstanceProfile()
                .toLoginInput("361bda71-9a9b-4634-9206-0cbaab646799"));

I'm thinking if we may want to simplify this even further? For the Go, Node.js, Python, and other SDK's we just accept a plain identity ID without the need for specifying if you want to get the credentials from the instance profile.

Is it because we may want to add plain secret access key support in the future? If so, we could create an overloaded function for that if we have to in the future.

Curious what you think!

[fangpenlin]

@DanielHougaard Yeah, I think an overload method with just one string parameter makes sense. Then it would be much easier, like this

sdk.Auth().AwsAuthLogin("361bda71-9a9b-4634-9206-0cbaab646799")

In most cases, credentials can be retrieved automatically in the AWS environment, so taking in just the identity id and let the default credential finding mechanism to do its job sounds like a reasonable design. The user still has a choice to feed manually crafted credentials if they choose to or need to.

I can make a quick modification to make it works like that, just let me know.

[DanielHougaard]

I can make a quick modification to make it works like that, just let me know.

That would be great @fangpenlin!

[fangpenlin]

okay, done. let me update the doc to reflect that as well

[DanielHougaard]

Trying it out!