Skip to main content

jEAP Spring Boot Roles Anywhere Starter

jEAP Spring Boot Roles Anywhere Starter is a Spring Boot starter that lets a jEAP service obtain temporary AWS credentials via AWS IAM Roles Anywhere. Using an X.509 client certificate and its private key, a service running outside AWS (for example an on-prem VM) can authenticate against a trust anchor and assume an IAM role, without long-lived AWS access keys and without the external aws_signing_helper credential helper. It provides:

  • Spring Boot auto-configuration that registers a @Primary AwsCredentialsProvider bean
  • Certificate-based authentication using AWS IAM Roles Anywhere (SigV4 X.509 request signing)
  • Credentials sourced from inline properties or from PEM files (with sensible default paths)
  • Automatic, non-blocking background refresh of the temporary session credentials before they expire
  • Works with AWS SDK v2 clients (used by jEAP Messaging for Kafka MSK IAM auth, Glue, S3, etc.)

Documentation

Start with Getting started, then follow the links below.

TopicFile
Getting started (add the dependency, configure, use)docs/getting-started.md
Configuration reference (jeap.aws.rolesanywhere.*)docs/configuration.md
How it works (credential exchange & refresh)docs/how-it-works.md
Certificates and keys (formats, chains, file layout)docs/certificates-and-keys.md
Messaging integration (Kafka MSK IAM)docs/messaging-integration.md

Modules

Group id for all modules is ch.admin.bit.jeap; the version is managed by the jEAP Spring Boot parent. Consumers depend on the jeap-spring-boot-roles-anywhere-starter artifact.

ModulePurpose
jeap-spring-boot-roles-anywhere-starterThe starter: auto-configuration, credentials provider, certificate/key handling
jeap-spring-boot-roles-anywhere-starter-itSpring Boot integration tests for the auto-configuration