FISH-7866 AWS SDK Security Token Service (STS) support

[jGauravGupta]

This PR adds support for AWS STS auth in Payara Cloud Connector - AWS SQS

To enhance security and provide temporary, limited-access credentials for your Java application using Payara Cloud Connector for AWS SQS, integrate with AWS Security Token Service (STS) through Identity and Access Management (IAM). Follow these steps to set up STS integration:

Creating IAM Role

Steps:

1. Open the IAM Console

   • Navigate to the AWS Management Console and open the IAM console.

2. Create an IAM Role

   • In the left navigation pane, choose "Roles".
   • Choose "Create role".
   • Select "AWS account".
   • Enter the AWS account ID (skip if working within the same AWS account).
   • Choose "Next".

3. Add permissions

   • Search for AmazonSQSFullAccess policy and attach it.
   • Choose "Next".

4. Role details

   • Give the role a Name (e.g., "PayaraSQSRole").
   • Add a meaningful description.
   • Choose "Create role".

5. Retrieve User ARN

   • Navigate back to the IAM console.
   • In the left navigation pane, choose "Users."
   • Select the IAM user (e.g., "MY-USER").
   • Copy the User ARN from the user's summary page (e.g., "arn:aws:iam::xxxxxxxxx:user/MY-USER").

6. Retrieve Role ARN

   • After creating the role, copy the Role ARN from the summary page.

7. Update Trust Relationship

   • To resolve potential authorization issues related to role assumption, ensure that the Trust Relationship in the IAM role is configured correctly. Update the Trust Relationship to explicitly allow the user to assume the role. Below is an example Trust Relationship JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<YOUR-IAM-USER-ARN-HERE>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Make sure to replace the values with your specific IAM user ARN and role ARN.

8. Set Role Session Name
   • For the roleSessionName, choose a logical name for your session (e.g., "PayaraSQSSession").

Conclusion

It's crucial to establish a link between the IAM user's ARN and the IAM role's Trust Relationship by configuring the Trust Relationship with the user's ARN. This linkage ensures that the IAM user has the necessary permissions to assume the role. Additionally, for seamless integration, configure the roleArn and roleSessionName in the Payara Cloud Connector AWS SQS:

roleArn: The ARN of the IAM role you've just created.
roleSessionName: A logical name for your session (e.g., "PayaraSQSSession").

These values play a crucial role in the configuration of Payara Cloud Connector AWS SQS, enabling your Java application to establish the necessary connections securely.

Sending Messages

Sending messages to Amazon SQS can be done via the JCA and an Amazon-specific API. Define a resource using the JCA API and a connection factory. The following Java code provides an example:

@ConnectionFactoryDefinition ( 
  name = "java:app/amazonsqs/factory",
  interfaceName = "fish.payara.cloud.connectors.amazonsqs.api.AmazonSQSConnectionFactory",
  resourceAdapter = "amazon-sqs-rar-0.8.0",
  properties = {"awsAccessKeyId=<accessKeyID>", "awsSecretKey=<secretKey>",
  "roleArn=arn:aws:iam::xxxxxxxxx:role/PayaraSQSRole", "roleSessionName=PayaraSQSSession", "region=eu-west-2"}
)

With this definition, you can send messages using the following example code:

@Singleton
@Startup
public class SendSQSMessage {
 
 @Resource(lookup = "java:app/amazonsqs/factory")
 private AmazonSQSConnectionFactory factory;
 
 @PostConstruct
 public void init() {
    try (AmazonSQSConnection connection = factory.createConnection()) {
        SendMessageRequest sendMsgRequest = SendMessageRequest.builder()
                        .queueUrl("<queueURL>")
                        .messageBody("Hello World")
                        .build();
        connection.sendMessage(sendMsgRequest);
    } catch (Exception ex) {
    }
 }  
}

Receiving Messages

Messages can be received from Amazon SQS by creating an MDB (Message Driven Bean) that implements the fish.payara.cloud.connectors.amazonsqs.api.AmazonSQSListener marker interface. Below is an example:

@MessageDriven(activationConfig = {
 @ActivationConfigProperty(propertyName = "awsAccessKeyId", propertyValue = "someKey"),
 @ActivationConfigProperty(propertyName = "awsSecretKey", propertyValue = "someSecretKey"),
 @ActivationConfigProperty(propertyName = "queueURL", propertyValue = "someQueueURL"), 
 @ActivationConfigProperty(propertyName = "pollInterval", propertyValue = "1"), 
 @ActivationConfigProperty(propertyName = "roleArn", propertyValue = "arn:aws:iam::xxxxxxxxx:role/PayaraSQSRole") , 
 @ActivationConfigProperty(propertyName = "roleSessionName", propertyValue = "PayaraSQSSession") , 
 @ActivationConfigProperty(propertyName = "region", propertyValue = "eu-west-2") 
})
public class ReceiveSQSMessage implements AmazonSQSListener {

 @OnSQSMessage
 public void receiveMessage(Message message) {
     // Handle message
 }
}

Documentation

payara/Payara-Documentation#394 (Payara6)
payara/Payara-Documentation#393 (Payara5)

[breakponchito]

LGTM