AWS Security Token Service (STS)
Since Camel 3.5
Only producer is supported
The AWS2 STS component supports assumeRole operation. AWS STS.
Prerequisites
You must have a valid Amazon Web Services developer account, and be signed up to use Amazon STS. More information is available at Amazon STS.
The AWS2 STS component works on the aws-global region, and it has aws-global as the default region. |
URI Format
aws2-sts://label[?options]
You can append query options to the URI in the following format:
?options=value&option2=value&…
Configuring Options
Camel components are configured on two separate levels:
-
component level
-
endpoint level
Configuring Component Options
The component level is the highest level which holds general and common configurations that are inherited by the endpoints. For example a component may have security settings, credentials for authentication, urls for network connection and so forth.
Some components only have a few options, and others may have many. Because components typically have pre configured defaults that are commonly used, then you may often only need to configure a few options on a component; or none at all.
Configuring components can be done with the Component DSL, in a configuration file (application.properties|yaml), or directly with Java code.
Configuring Endpoint Options
Where you find yourself configuring the most is on endpoints, as endpoints often have many options, which allows you to configure what you need the endpoint to do. The options are also categorized into whether the endpoint is used as consumer (from) or as a producer (to), or used for both.
Configuring endpoints is most often done directly in the endpoint URI as path and query parameters. You can also use the Endpoint DSL and DataFormat DSL as a type safe way of configuring endpoints and data formats in Java.
A good practice when configuring options is to use Property Placeholders, which allows to not hardcode urls, port numbers, sensitive information, and other settings. In other words placeholders allows to externalize the configuration from your code, and gives more flexibility and reuse.
The following two sections lists all the options, firstly for the component followed by the endpoint.
Component Options
The AWS Security Token Service (STS) component supports 18 options, which are listed below.
Name | Description | Default | Type |
---|---|---|---|
Component configuration. |
STS2Configuration |
||
Whether the producer should be started lazy (on the first message). By starting lazy you can use this to allow CamelContext and routes to startup in situations where a producer may otherwise fail during starting and cause the route to fail being started. By deferring this startup to be lazy then the startup failure can be handled during routing messages via Camel’s routing error handlers. Beware that when the first message is processed then creating and starting the producer may take a little time and prolong the total processing time of the processing. |
false |
boolean |
|
Required The operation to perform. Enum values:
|
assumeRole |
STS2Operations |
|
Set the need for overriding the endpoint. This option needs to be used in combination with the uriEndpointOverride option. |
false |
boolean |
|
If we want to use a POJO request as body or not. |
false |
boolean |
|
The region in which the STS client needs to work. When using this parameter, the configuration will expect the lowercase name of the region (for example, ap-east-1) You’ll need to use the name Region.EU_WEST_1.id(). Enum values:
|
aws-global |
String |
|
Set the overriding uri endpoint. This option needs to be used in combination with overrideEndpoint option. |
String |
||
Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching type, which then gets configured on the component. This can be used for automatic configuring JDBC data sources, JMS connection factories, AWS Clients, etc. |
true |
boolean |
|
Autowired To use an existing configured AWS STS client. |
StsClient |
||
To define a proxy host when instantiating the STS client. |
String |
||
To define a proxy port when instantiating the STS client. |
Integer |
||
To define a proxy protocol when instantiating the STS client. Enum values:
|
HTTPS |
Protocol |
|
Amazon AWS Access Key. |
String |
||
If using a profile credentials provider, this parameter will set the profile name. |
String |
||
Amazon AWS Secret Key. |
String |
||
If we want to trust all certificates in case of overriding the endpoint. |
false |
boolean |
|
Set whether the STS client should expect to load credentials through a default credentials provider or to expect static credentials to be passed in. |
false |
boolean |
|
Set whether the STS client should expect to load credentials through a profile credentials provider. |
false |
boolean |
Endpoint Options
The AWS Security Token Service (STS) endpoint is configured using URI syntax:
aws2-sts:label
with the following path and query parameters:
Query Parameters (16 parameters)
Name | Description | Default | Type |
---|---|---|---|
Required The operation to perform. Enum values:
|
assumeRole |
STS2Operations |
|
Set the need for overriding the endpoint. This option needs to be used in combination with the uriEndpointOverride option. |
false |
boolean |
|
If we want to use a POJO request as body or not. |
false |
boolean |
|
The region in which the STS client needs to work. When using this parameter, the configuration will expect the lowercase name of the region (for example, ap-east-1) You’ll need to use the name Region.EU_WEST_1.id(). Enum values:
|
aws-global |
String |
|
Set the overriding uri endpoint. This option needs to be used in combination with overrideEndpoint option. |
String |
||
Whether the producer should be started lazy (on the first message). By starting lazy you can use this to allow CamelContext and routes to startup in situations where a producer may otherwise fail during starting and cause the route to fail being started. By deferring this startup to be lazy then the startup failure can be handled during routing messages via Camel’s routing error handlers. Beware that when the first message is processed then creating and starting the producer may take a little time and prolong the total processing time of the processing. |
false |
boolean |
|
Autowired To use an existing configured AWS STS client. |
StsClient |
||
To define a proxy host when instantiating the STS client. |
String |
||
To define a proxy port when instantiating the STS client. |
Integer |
||
To define a proxy protocol when instantiating the STS client. Enum values:
|
HTTPS |
Protocol |
|
Amazon AWS Access Key. |
String |
||
If using a profile credentials provider, this parameter will set the profile name. |
String |
||
Amazon AWS Secret Key. |
String |
||
If we want to trust all certificates in case of overriding the endpoint. |
false |
boolean |
|
Set whether the STS client should expect to load credentials through a default credentials provider or to expect static credentials to be passed in. |
false |
boolean |
|
Set whether the STS client should expect to load credentials through a profile credentials provider. |
false |
boolean |
Required STS component options
You have to provide the amazonSTSClient in the Registry or your accessKey and secretKey to access the Amazon STS service.
Usage
Static credentials, Default Credential Provider and Profile Credentials Provider
You have the possibility of avoiding the usage of explicit static credentials by specifying the useDefaultCredentialsProvider option and set it to true.
The order of evaluation for Default Credentials Provider is the following:
-
Java system properties -
aws.accessKeyId
andaws.secretKey
. -
Environment variables -
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
. -
Web Identity Token from AWS STS.
-
The shared credentials and config files.
-
Amazon ECS container credentials - loaded from the Amazon ECS if the environment variable
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
is set. -
Amazon EC2 Instance profile credentials.
You have also the possibility of using Profile Credentials Provider, by specifying the useProfileCredentialsProvider option to true and profileCredentialsName to the profile name.
Only one of static, default and profile credentials could be used at the same time.
For more information about this you can look at AWS credentials documentation
Message Headers
The AWS Security Token Service (STS) component supports 4 message header(s), which is/are listed below:
Name | Description | Default | Type |
---|---|---|---|
CamelAwsStsOperation (producer) Constant: |
The operation we want to perform. |
String |
|
Constant: |
The Amazon Resource Name (ARN) of the role to assume. |
String |
|
CamelAwsStsRoleSessionName (producer) Constant: |
An identifier for the assumed role session. |
String |
|
CamelAwsStsFederatedName (producer) Constant: |
The name of the federated user. |
String |
Producer Examples
-
assumeRole: this operation will make an AWS user assume a different role temporary
from("direct:assumeRole")
.setHeader(STS2Constants.ROLE_ARN, constant("arn:123"))
.setHeader(STS2Constants.ROLE_SESSION_NAME, constant("groot"))
.to("aws2-sts://test?stsClient=#amazonSTSClient&operation=assumeRole")
-
getSessionToken: this operation will return a temporary session token
from("direct:getSessionToken")
.to("aws2-sts://test?stsClient=#amazonSTSClient&operation=getSessionToken")
-
getFederationToken: this operation will return a temporary federation token
from("direct:getFederationToken")
.setHeader(STS2Constants.FEDERATED_NAME, constant("federation-account"))
.to("aws2-sts://test?stsClient=#amazonSTSClient&operation=getSessionToken")
Using a POJO as body
Sometimes building an AWS Request can be complex because of multiple options. We introduce the possibility to use a POJO as the body. In AWS STS, as an example for Assume Role request, you can do something like:
from("direct:createUser")
.setBody(AssumeRoleRequest.builder().roleArn("arn:123").roleSessionName("groot").build())
.to("aws2-sts://test?stsClient=#amazonSTSClient&operation=assumeRole&pojoRequest=true")
In this way, you’ll pass the request directly without the need of passing headers and options specifically related to this operation.
Dependencies
Maven users will need to add the following dependency to their pom.xml.
pom.xml
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-aws2-sts</artifactId>
<version>${camel-version}</version>
</dependency>
where ${camel-version}
must be replaced by the actual version of Camel.