enable default credential provider chain for aws sqs

Jan Schumann · Andrew Shvayka
1 parent 45e3c229
Showing 3 changed files with 17 additions and 5 deletions
application/src/main/resources/thingsboard.yml
common/queue/src/main/java/org/thingsboard/server/queue/sqs/TbAwsSqsAdmin.java
common/queue/src/main/java/org/thingsboard/server/queue/sqs/TbAwsSqsSettings.java
--- a/application/src/main/resources/thingsboard.yml
View file @3d9f1cf
+++ b/application/src/main/resources/thingsboard.yml
View file @3d9f1cf
@@ -612,6 +612,10 @@ queue:
       notifications: "${TB_QUEUE_KAFKA_NOTIFICATIONS_TOPIC_PROPERTIES:retention.ms:604800000;segment.bytes:26214400;retention.bytes:1048576000}"
       js-executor: "${TB_QUEUE_KAFKA_JE_TOPIC_PROPERTIES:retention.ms:604800000;segment.bytes:26214400;retention.bytes:104857600}"
   aws_sqs:
+    # @see https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-roles.html
+    # setting this to true, will ignore the access keys below and instead use the
+    # default credential provider chain, which includes instance profile credentials etc.
+    use_default_credential_provider_chain: "${TB_QUEUE_AWS_SQS_USE_DEFAULT_CREDENTIAL_PROVIDER_CHAIN:false}"
     access_key_id: "${TB_QUEUE_AWS_SQS_ACCESS_KEY_ID:YOUR_KEY}"
     secret_access_key: "${TB_QUEUE_AWS_SQS_SECRET_ACCESS_KEY:YOUR_SECRET}"
     region: "${TB_QUEUE_AWS_SQS_REGION:YOUR_REGION}"
--- a/common/queue/src/main/java/org/thingsboard/server/queue/sqs/TbAwsSqsAdmin.java
View file @3d9f1cf
+++ b/common/queue/src/main/java/org/thingsboard/server/queue/sqs/TbAwsSqsAdmin.java
View file @3d9f1cf
@@ -15,9 +15,7 @@
  */
 package org.thingsboard.server.queue.sqs;
 
-import com.amazonaws.auth.AWSCredentials;
-import com.amazonaws.auth.AWSStaticCredentialsProvider;
-import com.amazonaws.auth.BasicAWSCredentials;
+import com.amazonaws.auth.*;
 import com.amazonaws.services.sqs.AmazonSQS;
 import com.amazonaws.services.sqs.AmazonSQSClientBuilder;
 import com.amazonaws.services.sqs.model.CreateQueueRequest;
@@ -37,9 +35,16 @@ public class TbAwsSqsAdmin implements TbQueueAdmin {
     public TbAwsSqsAdmin(TbAwsSqsSettings sqsSettings, Map<String, String> attributes) {
         this.attributes = attributes;
 
-        AWSCredentials awsCredentials = new BasicAWSCredentials(sqsSettings.getAccessKeyId(), sqsSettings.getSecretAccessKey());
+        AWSCredentialsProvider credentialsProvider;
+        if (sqsSettings.getUseDefaultCredentialProviderChain()) {
+            credentialsProvider = new DefaultAWSCredentialsProviderChain();
+        } else {
+            AWSCredentials awsCredentials = new BasicAWSCredentials(sqsSettings.getAccessKeyId(), sqsSettings.getSecretAccessKey());
+            credentialsProvider = new AWSStaticCredentialsProvider(awsCredentials);
+        }
+
         sqsClient = AmazonSQSClientBuilder.standard()
-                .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
+                .withCredentials(credentialsProvider)
                 .withRegion(sqsSettings.getRegion())
                 .build();
 
--- a/common/queue/src/main/java/org/thingsboard/server/queue/sqs/TbAwsSqsSettings.java
View file @3d9f1cf
+++ b/common/queue/src/main/java/org/thingsboard/server/queue/sqs/TbAwsSqsSettings.java
View file @3d9f1cf
@@ -27,6 +27,9 @@ import org.springframework.stereotype.Component;
 @Data
 public class TbAwsSqsSettings {
 
+    @Value("${queue.aws_sqs.use_default_credential_provider_chain}")
+    private Boolean useDefaultCredentialProviderChain;
+
     @Value("${queue.aws_sqs.access_key_id}")
     private String accessKeyId;