Instance Profile Credentials using Spring Cloud – 使用Spring Cloud的Instance Profile Credentials

最后修改: 2018年 2月 15日

中文/混合/英文(键盘快捷键:t)

1. Introduction

1.介绍

In this quick article, we’re going to build a Spring Cloud application that uses instance profile credentials to connect to an S3 bucket.

在这篇快速文章中,我们将建立一个Spring Cloud应用程序,使用实例配置文件凭证来连接到S3桶。

2. Provisioning Our Cloud Environment

2.配置我们的云环境

Instance profiles are an AWS feature that allows EC2 instances to connect to other AWS resources with temporary credentials. These credentials are short-lived and are automatically rotated by AWS.

实例配置文件是AWS的一项功能,允许EC2实例用临时凭证连接到其他AWS资源。这些凭证是短暂的,由AWS自动轮换。

Users can only request temporary credentials from within EC2 instances. However, we can use these credentials from anywhere until they expire.

用户只能从EC2实例内申请临时凭证。然而,我们可以从任何地方使用这些凭证,直到它们过期。

To get more help specifically on instance profile configuration, check out AWS’s documentation.

要获得更多具体关于实例配置文件配置的帮助,请查看AWS的文档。

2.1. Deployment

2.1.部署

First of all, we need an AWS environment that has the appropriate setup.

首先,我们需要一个有适当设置的AWS环境。

For the code sample below, we need to stand up an EC2 instance, an S3 bucket, and the appropriate IAM roles. To do this, we can use the CloudFormation template in the code sample or simply stand these resources up on our own.

对于下面的代码示例,我们需要建立一个EC2实例、一个S3桶和适当的IAM角色。要做到这一点,我们可以使用代码示例中的CloudFormation模板,或者干脆自己建立这些资源。

2.2. Verification

2.2.验证

Next, we should make sure our EC2 instance can retrieve instance profile credentials. Replace <InstanceProfileRoleName> with the actual instance profile role name:

接下来,我们应该确保我们的EC2实例可以检索到实例配置文件的凭证。将<InstanceProfileRoleName>替换为实际的实例配置文件角色名称。

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<InstanceProfileRoleName>

If everything is setup correctly, then the JSON response will contain AccessKeyId, SecretAccessKey, Token, and Expiration properties.

如果一切设置正确,那么JSON响应将包含AccessKeyIdSecretAccessKeyTokenExpiration属性。

3. Configuring Spring Cloud

3.配置Spring Cloud

Now, for our sample application. We need to configure Spring Boot to use instance profiles, which we can do in our Spring Boot configuration file:

现在,对于我们的示例应用程序。我们需要配置Spring Boot以使用实例配置文件,我们可以在Spring Boot配置文件中进行配置。

cloud.aws.credentials.instanceProfile=true

And, that’s it! If this Spring Boot application is deployed in an EC2 instance, then each client will automatically attempt to use instance profile credentials to connect to AWS resources.

而且,这就是了!如果这个Spring Boot应用程序被部署在EC2实例中,那么每个客户端将自动尝试使用实例配置文件凭证来连接AWS资源。

This is because Spring Cloud uses the EC2ContainerCredentialsProviderWrapper from the AWS SDK. This will look for credentials in priority order, automatically ending with instance profile credentials if it can’t find any others in the system.

这是因为Spring Cloud使用了来自AWS SDK的EC2ContainerCredentialsProviderWrapper。这将按照优先顺序寻找证书,如果在系统中找不到任何其他证书,则自动以实例配置文件证书结束。

If we need to specify that Spring Cloud only use instance profiles, then we can instantiate our own AmazonS3 instance.

如果我们需要指定Spring Cloud只使用实例配置文件,那么我们可以实例化我们自己的AmazonS3实例。

We can configure it with an InstanceProfileCredentialsProvider and publish it as a bean:

我们可以用InstanceProfileCredentialsProvider来配置它,并将其发布为一个bean。

@Bean
public AmazonS3 amazonS3() {
    InstanceProfileCredentialsProvider provider
      = new InstanceProfileCredentialsProvider(true);
    return AmazonS3ClientBuilder.standard()
      .withCredentials(provider)
      .build();
}

This will replace the default AmazonS3 instance provided by Spring Cloud.

这将取代Spring Cloud提供的默认AmazonS3 实例。

4. Connecting to Our S3 Bucket

4.连接到我们的S3水桶

Now, we can connect to our S3 bucket using Spring Cloud as normal, but without needing to configure permanent credentials:

现在,我们可以像平常一样使用Spring Cloud连接到我们的S3桶,但不需要配置永久凭证。

@Component
public class SpringCloudS3Service {

    // other declarations

    @Autowired
    AmazonS3 amazonS3;

    public void createBucket(String bucketName) {
        // log statement
        amazonS3.createBucket(bucketName);
    }
}

Remember that because instance profiles are only issued to EC2 instances, this code only works when running on an EC2 instance.

请记住,由于实例配置文件只发放给EC2实例,这段代码只有在EC2实例上运行时才能发挥作用

Of course, we can repeat the process for any AWS service that our EC2 instance connects to, including EC2, SQS, and SNS.

当然,我们可以对EC2实例所连接的任何AWS服务重复这一过程,包括EC2、SQS和SNS。

5. Conclusion

5.结论

In this tutorial, we’ve seen how to use instance profile credentials with Spring Cloud. Also, we created a simple application that connects to an S3 bucket.

在本教程中,我们已经看到了如何在Spring Cloud中使用实例配置文件凭证。此外,我们还创建了一个连接到S3桶的简单应用。

As always, the full source can be found over on GitHub.

一如既往,完整的源代码可以在GitHub上找到