AWS S3 authorization using STS JAVA SDK

Question

I have an application instance running in EKS with the following variables set:

declare -x AWS_DEFAULT_REGION="us-west-2"
declare -x AWS_REGION="us-west-2"
declare -x AWS_ROLE_ARN="xxxxx"
declare -x AWS_WEB_IDENTITY_TOKEN_FILE="/var/run/secrets/eks.amazonaws.com/serviceaccount/token"

As I understand there is a default Java SDK authorization chain that contains com.amazonaws.auth.WebIdentityTokenCredentialsProvider which builds com.amazonaws.services.securitytoken.AWSSecurityTokenService under the hood.

But I can't realize how this circular dependency is solved? I mean you need to specify credentials during creation of AWSSecurityTokenService but credentials create service itself.

I have practical requirements to do that, I want to customize endpoint in sts client but can't since circular dependency.

AWSSecurityTokenServiceClientBuilder.standard()
        .withCredentials(new STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder(
                "arn",
                "session",
                "tokenfile")
                .withStsClient(xxxx)
                .build())
        .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("http://localhost:4566", null))
        .build()

Answer 1

It was easy. It's just done with anonymous auth (https://github.com/aws/aws-sdk-java/blob/1.11.792/aws-java-sdk-sts/src/main/java/com/amazonaws/auth/STSAssumeRoleWithWebIdentitySessionCredentialsProvider.java#L122-L125)

        return AWSSecurityTokenServiceClientBuilder.standard()
                                                   .withClientConfiguration(clientConfiguration)
                                                   .withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()))
                                                   .build();