| Access Tasks / Roles | |
You can use the AWS Java SDK to programmatically perform IAM role-related operations in your Eucalyptus cloud. This example shows how to use the AWS SDK to retrieve the credentials for the IAM role associated with the Eucalyptus instance.
import com.amazonaws.auth.*;
import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.ClasspathPropertiesFileCredentialsProvider;
import com.amazonaws.services.ec2.AmazonEC2;
import com.amazonaws.services.ec2.AmazonEC2Client;
import com.amazonaws.services.s3.*;
import com.amazonaws.services.s3.model.*;
public class MyTestApp {
static AmazonEC2 ec2;
static AmazonS3 s3;
private static void init() throws Exception {
AWSCredentialsProvider credentials = new ClasspathPropertiesFileCredentialsProvider();
s3 = new AmazonS3Client(credentials);
s3.setEndpoint("http://128.0.0.1:8773/services/Walrus");
}
public static void main(String[] args) throws Exception {
init();
try {
String bucketName = "my-test-bucket";
System.out.println("Listing bucket " + bucketName + ":");
ListObjectsRequest listObjectsRequest = new ListObjectsRequest(bucketName, "", "", "", 200);
ObjectListing bucketList;
do {
bucketList = s3.listObjects(listObjectsRequest);
for (S3ObjectSummary objectInfo :
bucketList.getObjectSummaries()) {
System.out.println(" - " + objectInfo.getKey() + " " +
"(size = " + objectInfo.getSize() +
")");
}
listObjectsRequest.setMarker(bucketList.getNextMarker());
} while (bucketList.isTruncated());
} catch (AmazonServiceException eucaServiceException ) {
System.out.println("Exception: " + eucaServiceException.getMessage());
System.out.println("Status Code: " + eucaServiceException.getStatusCode());
System.out.println("Error Code: " + eucaServiceException.getErrorCode());
System.out.println("Request ID: " + eucaServiceException.getRequestId());
} catch (AmazonClientException eucaClientException) {
System.out.println("Error Message: " + eucaClientException.getMessage());
}
System.out.println("===== FINISHED =====");
}
}
This application produces output similar to the following:
Listing bucket my-test-bucket: - precise-server-cloudimg-amd64-vmlinuz-virtual.manifest.xml (size = 3553) - precise-server-cloudimg-amd64-vmlinuz-virtual.part.0 (size = 4904032) - precise-server-cloudimg-amd64.img.manifest.xml (size = 7014) - precise-server-cloudimg-amd64.img.part.0 (size = 10485760) - precise-server-cloudimg-amd64.img.part.1 (size = 10485760) - precise-server-cloudimg-amd64.img.part.10 (size = 10485760) - precise-server-cloudimg-amd64.img.part.11 (size = 10485760) - precise-server-cloudimg-amd64.img.part.12 (size = 10485760) - precise-server-cloudimg-amd64.img.part.13 (size = 10485760) - precise-server-cloudimg-amd64.img.part.14 (size = 10485760) - precise-server-cloudimg-amd64.img.part.15 (size = 10485760) - precise-server-cloudimg-amd64.img.part.16 (size = 10485760) - precise-server-cloudimg-amd64.img.part.17 (size = 10485760) - precise-server-cloudimg-amd64.img.part.18 (size = 10485760) - precise-server-cloudimg-amd64.img.part.19 (size = 10485760) - precise-server-cloudimg-amd64.img.part.2 (size = 10485760) - precise-server-cloudimg-amd64.img.part.20 (size = 10485760) - precise-server-cloudimg-amd64.img.part.21 (size = 10485760) - precise-server-cloudimg-amd64.img.part.22 (size = 2570400) - precise-server-cloudimg-amd64.img.part.3 (size = 10485760) - precise-server-cloudimg-amd64.img.part.4 (size = 10485760) - precise-server-cloudimg-amd64.img.part.5 (size = 10485760) - precise-server-cloudimg-amd64.img.part.6 (size = 10485760) - precise-server-cloudimg-amd64.img.part.7 (size = 10485760) - precise-server-cloudimg-amd64.img.part.8 (size = 10485760) - precise-server-cloudimg-amd64.img.part.9 (size = 10485760) ===== FINISHED =====
The problem with this approach is that the credentials are hardcoded into the application - this makes them less secure, and makes the application more difficult to maintain. Using IAM roles is a more secure and easier way to manage credentials for applications that run on Eucalyptus cloud instances.
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-test-bucket"
}
]
}
The program now looks like this:
import com.amazonaws.auth.*;
import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.ClasspathPropertiesFileCredentialsProvider;
import com.amazonaws.services.ec2.AmazonEC2;
import com.amazonaws.services.ec2.AmazonEC2Client;
import com.amazonaws.services.s3.*;
import com.amazonaws.services.s3.model.*;
public class MyTestApp {
static AmazonEC2 ec2;
static AmazonS3 s3;
private static void init() throws Exception {
AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider();
s3 = new AmazonS3Client(credentials);
s3.setEndpoint("http://128.0.0.1:8773/services/Walrus");
}
public static void main(String[] args) throws Exception {
init();
try {
String bucketName = "my-test-bucket";
System.out.println("Listing bucket " + bucketName + ":");
ListObjectsRequest listObjectsRequest = new ListObjectsRequest(bucketName, "", "", "", 200);
ObjectListing bucketList;
do {
bucketList = s3.listObjects(listObjectsRequest);
for (S3ObjectSummary objectInfo :
bucketList.getObjectSummaries()) {
System.out.println(" - " + objectInfo.getKey() + " " +
"(size = " + objectInfo.getSize() +
")");
}
listObjectsRequest.setMarker(bucketList.getNextMarker());
} while (bucketList.isTruncated());
} catch (AmazonServiceException eucaServiceException ) {
System.out.println("Exception: " + eucaServiceException.getMessage());
System.out.println("Status Code: " + eucaServiceException.getStatusCode());
System.out.println("Error Code: " + eucaServiceException.getErrorCode());
System.out.println("Request ID: " + eucaServiceException.getRequestId());
} catch (AmazonClientException eucaClientException) {
System.out.println("Error Message: " + eucaClientException.getMessage());
}
System.out.println("===== FINISHED =====");
}
}
NOTE: Running this code outside of an instance will result in the following error message:
Listing bucket my-test-bucket: Error Message: Unable to load credentials from Amazon EC2 metadata service