I just debugged a strange problem with the AWS Java SDK: Running a pod in AWS EKS using the WebIdentityTokenCredentials (which the service account provides) only works, if the STS module of the SDK is in the classpath.
Can somebody confirm? This is super strange. Does somebody has any documentation on this?
I tried to use the DefaultAWSCredentialsProviderChain to send a SQS message. I got a "Access Denied" response, although the AWS IAM user connected to the service account has all SQS rights and I could look in the container that the AWS_WEB_IDENTITY_TOKEN_FILE ENV-Variable is set correctly. I could even send a SQS message with the AWS CLI. So the clue was that my CredentialsProviderChain did not pick up the token file.
When I added the STS module (api group: 'com.amazonaws', name: 'aws-java-sdk-sts', version: '1.11.779') it worked ...
Late reply: AWS Security Token Service is used to get temporary, limited-privilege credentials that can be used to access AWS services.
Even if the EC2 instance has the appropriate role, it still uses STS to get a ~6-hour-alive temporary session token. (It doesn't wait till the session token expires - it just gets a new session token from STS every half hour or 1 hour.)
In fact, the EC2 instance should have the necessary role, and access to STS for other AWS services to get authorized.