Java AWS SDK v2 not assuming role on EKS

Recently I have been working with plain and simple Java app on AWS. At the end of the development cycle the last thing we needed to do was to throw it into EKS and we would call it job done ….

But then when the app started we noticed following errors in the console ( similar of course based on your implementation 😀 )

Exception: software.amazon.awssdk.services.sqs.model.SqsException: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied. (Service: Sqs, Status Code: 403, Request ID: 0b994d11-a474-51bd-967c-17206ebf6106)

Following the best practices we checked the following:

  • All resources are created ( SQS )
  • IAM policies & roles are created with appropriate access and configuration ( OIDC )
  • IAM policy simulator shows appropriate & allowed access
  • EKS service account has the correct role ARN annotations
  • EKS test container with the afore mentioned service account properly assumes role
  • Verified the above with AWS CloudTrail log
  • ….. and the app container still not getting the correct role ….

At this moment it become obvious that something is wrong in the app code itself … so we started poking.

The first logical step was to include STS package to be able to retrieve user/role info via the GetCallerIdentity call.

And that has shown ( once again 🙁 … ) that we are not getting the correct role. It started to become more and more clear problem is deeply routed into SDK as default chain credentials discovery should get the proper setup …

And thats how we got across the following Github Issue which in its essence comes down to *explicitly* specifying the WebIdentityTokenFileCredentialsProvider

import software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider;
S3Client s3 = S3Client.builder()

And that was it … hours later, many many coffees later the app was running happily with the right credentials 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *