AWS Vault allows you to securely store and access credentials for AWS. AWS Vault stores IAM credentials in your operating systems secure keystore and then generates temporary credentials from those to expose to your shell and applications. It’s designed to be complementary to the aws cli tools, and is aware of your profiles and configuration in ~/.aws/config.
There are various ways to use aws credentials with the aws Java SDK.
AWS Vault is great when working with multiple profiles. When we look at the directory ~/.aws/ there are two files, credentials and config.
The config file might look something like this
[default] region = eu-west-1 [profile project-dev] region=eu-west-1 role_arn = arn:aws:iam::123456789012:role/developers mfa_serial=arn:aws:iam::120123456789:mfa/userxyz
You can then use aws-vault exec project-dev which will ask for your mfa token, and then returns to bash where you can execute AWS commands just as you would do with AWS CLI.
Using AWS Vault, you can use aws-vault exec project-dev mvn clean test and that will start executing the tests.
When Not using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and instead using role_arn and mfa_serial in ~/.aws/config file, in Java, you can use
AmazonKinesis amazonKinesis = AmazonKinesisClientBuilder .standard() .withCredentials(new EnvironmentVariableCredentialsProvider()) .build();