sts

[albogdano]

I think support for temporary credentials would be beneficial for the project.
Usually, in production, we never hardcode credentials in system properties or ENV. They are automatically obtained from the STS endpoint at runtime.
Additionally, this PR also adds support for obtaining credentials from instance profiles via the IMDSv2 endpoint.

With the proposed changes, the project would closely follow the default credentials discovery chain as described in the official AWS docs.

[codecov]

Codecov Report

❌ Patch coverage is 92.75362% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 98.47%. Comparing base (8fb9cd0) to head (92e287b).
⚠️ Report is 116 commits behind head on master.

Files with missing lines	Patch %	Lines
...oten/aws/lw/client/internal/CredentialsHelper.java	82.60%	2 Missing and 2 partials ⚠️
...t/internal/InstanceProfileCredentialsProvider.java	94.20%	4 Missing ⚠️
...aws/lw/client/internal/STSCredentialsProvider.java	94.44%	3 Missing and 1 partial ⚠️
...ws/lw/client/internal/ExpiringCredentialsImpl.java	93.54%	0 Missing and 2 partials ⚠️
...m/github/davidmoten/aws/lw/client/Credentials.java	83.33%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #248      +/-   ##
============================================
- Coverage     99.50%   98.47%   -1.04%     
- Complexity      479      572      +93     
============================================
  Files            31       35       +4     
  Lines          1422     1701     +279     
  Branches        168      212      +44     
============================================
+ Hits           1415     1675     +260     
- Misses            5       16      +11     
- Partials          2       10       +8     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[albogdano]

According to this table, the system property aws.secretKey is outdated and is replaced with the aws.secretAccessKey in AWS SDK 2.x. This is why we check for the presence of that property and fall back to aws.secretKey.

[davidmoten]

Looks like great work, thanks! I don't use hard coded credentials by the way in my usage of this library, they are supplied by the AWS lambda environment, but nevertheless a token-based approach seems like a good idea to reduce exposure of core credentials. I'll review properly shortly.

[albogdano]

Thanks, David! The STS and instance profiles methods for obtaining credentials are still heavily used in EC2 instances and for identity federation. With that addition, the credentials loading chain would be complete and on par with the official AWS SDK.