Skip to main content

Getting started

This page shows how to add the Roles Anywhere starter to a Spring Boot service so it can obtain temporary AWS credentials from outside AWS. For the credential exchange itself see How it works; for the full property list see the Configuration reference.

Prerequisites

AWS IAM Roles Anywhere must already be set up: a trust anchor referencing your CA, an IAM role the service is allowed to assume, and an IAM Roles Anywhere profile. You also need the service's X.509 client certificate and its private key (PKCS#8). The starter signs the request and assumes the role on your behalf.

1. Add the dependency

<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-spring-boot-roles-anywhere-starter</artifactId>
</dependency>

The version is managed by the jEAP Spring Boot parent. When used together with jEAP Messaging, the starter is supported from jEAP Messaging version 8.52.0.

2. Configure the starter

The integration is off by default; set jeap.aws.rolesanywhere.enabled=true and provide the three ARNs plus a certificate and key. The simplest, most portable setup uses the default PEM file paths under ${user.home}/.aws/roles-anywhere/ (see Certificates and keys):

jeap:
aws:
rolesanywhere:
enabled: true
roleArn: "arn:aws:iam::123456789012:role/roles-anywhere/msk-access-user"
trustAnchorArn: "arn:aws:rolesanywhere:eu-central-2:123456789012:trust-anchor/uuid"
profileArn: "arn:aws:rolesanywhere:eu-central-2:123456789012:profile/uuid"

The certificate and key can also be supplied inline or from custom paths, and the ARNs can be loaded from a JSON file — see the Configuration reference.

3. Use the credentials

When enabled, the starter registers a @Primary software.amazon.awssdk.auth.credentials.AwsCredentialsProvider bean. AWS SDK v2 clients pick it up automatically, so you can just inject and build a client:

@Component
@RequiredArgsConstructor
class S3Access {
private final AwsCredentialsProvider awsCredentialsProvider;

S3Client client() {
return S3Client.builder()
.region(Region.EU_CENTRAL_2)
.credentialsProvider(awsCredentialsProvider)
.build();
}
}

For Kafka MSK IAM authentication via jEAP Messaging the wiring is automatic — see Messaging integration.