S3EncryptionClient not picking up access/secret key and region of the wrapped S3Client object #251
Description
Problem:
My code is roughly
val s3ClientObject =
S3Client
.builder()
.credentialsProvider(
StaticCredentialsProvider.create(
AwsBasicCredentials.create(
spec.accessKey.get,
getSecretKey(metadataEncryptionUtils)
)
)
)
.region(REGION.US_EAST_1)
The above builder object works fine, i am able to create bucket / upload data etc.
Now when I use S3EncryptionClient by wrapping above such as
val encObject =
S3EncryptionClient
.builder()
.rsaKeyPair(userKeys)
.enableLegacyUnauthenticatedModes(true)
.enableLegacyWrappingAlgorithms(true)
.wrappedClient(s3ClientObject)
.build()
Instantiation of above fails
Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain@4917a741: [software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@4d05b931: Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or system property (aws.region)., software.amazon.awssdk.regions.providers.AwsProfileRegionProvider@5cffd11d: No region provided in profile: default, software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider@7dae9ff4: Unable to contact EC2 metadata service.]
If I specify an AWS region manually such as
System.setProperty("aws.region", "us-east-1")
val encObject =
S3EncryptionClient
......
It then fails with error
Failed to upload file aws_legacy_cse_upload_file to bucket xxxxxxxxxxxxxxxxx with key xxxxxxxxxx-v2: software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])): Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
Basically, the S3EncryptionClient is NOT picking up the credentials, region anything from the base S3Client.
Solution:
Make S3EncryptionClient use the wrapped clients.