Package org.apache.hadoop.fs.s3a.auth

Class IAMInstanceCredentialsProvider

java.lang.Object
org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider
All Implemented Interfaces:
Closeable, AutoCloseable, software.amazon.awssdk.auth.credentials.AwsCredentialsProvider, software.amazon.awssdk.identity.spi.IdentityProvider<software.amazon.awssdk.identity.spi.AwsCredentialsIdentity>
Direct Known Subclasses:
SharedInstanceCredentialProvider
@Public @Evolving public class IAMInstanceCredentialsProvider extends Object implements software.amazon.awssdk.auth.credentials.AwsCredentialsProvider, Closeable
This is an IAM credential provider which wraps an ContainerCredentialsProvider to provide credentials when the S3A connector is instantiated on AWS EC2 or the AWS container services.

The provider is initialized with async credential refresh enabled to be less brittle against transient network issues.

If the ContainerCredentialsProvider fails to authenticate, then an instance of InstanceProfileCredentialsProvider is created and attemped to be used instead, again with async credential refresh enabled.

If both credential providers fail, a NoAwsCredentialsException is thrown, which can be recognized by retry handlers as a non-recoverable failure.

It is implicitly public; marked evolving as we can change its semantics.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final Duration
    TIME_BEFORE_EXPIRY
    How far in advance of credential expiry must IAM credentials be refreshed.

  • Constructor Summary

    Constructors
    Constructor
    Description
    IAMInstanceCredentialsProvider()
    Constructor.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    close()
     
    boolean
    isContainerCredentialsProvider()
    Is this a container credentials provider?
    software.amazon.awssdk.auth.credentials.AwsCredentials
    resolveCredentials()
    Ask for the credentials.
    String
    toString()
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    Methods inherited from interface software.amazon.awssdk.auth.credentials.AwsCredentialsProvider

    identityType, resolveIdentity

    Methods inherited from interface software.amazon.awssdk.identity.spi.IdentityProvider

    resolveIdentity, resolveIdentity

  • Field Details

    • TIME_BEFORE_EXPIRY

      public static final Duration TIME_BEFORE_EXPIRY
      How far in advance of credential expiry must IAM credentials be refreshed. See HADOOP-19181. S3A: IAMCredentialsProvider throttling results in AWS auth failures

  • Constructor Details

    • IAMInstanceCredentialsProvider

      public IAMInstanceCredentialsProvider()
      Constructor. Build credentials provider with async refresh, mark isContainerCredentialsProvider as true.

  • Method Details

    • resolveCredentials

      public software.amazon.awssdk.auth.credentials.AwsCredentials resolveCredentials()
      Ask for the credentials. Failure invariably means "you aren't running in an EC2 VM or AWS container".
      Specified by:
      resolveCredentials in interface software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
      Returns:
      the credentials
      Throws:
      org.apache.hadoop.fs.s3a.auth.NoAwsCredentialsException - on auth failure to indicate non-recoverable.

    • isContainerCredentialsProvider

      public boolean isContainerCredentialsProvider()
      Is this a container credentials provider?
      Returns:
      true if the container credentials provider is in use; false for InstanceProfileCredentialsProvider

    • close

      public void close() throws IOException
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Throws:
      IOException

    • toString

      public String toString()
      Overrides:
      toString in class Object