Interface IdentityProvider<IdentityT extends Identity>

All Known Subinterfaces:

AwsCredentialsProvider, HttpCredentialsProvider, SdkTokenProvider

All Known Implementing Classes:

AnonymousCredentialsProvider, AwsCredentialsProviderChain, ContainerCredentialsProvider, DefaultAwsTokenProvider, DefaultCredentialsProvider, DefaultS3ExpressIdentityProvider, EnvironmentVariableCredentialsProvider, InstanceProfileCredentialsProvider, LazyAwsCredentialsProvider, LazyTokenProvider, LoginCredentialsProvider, ProcessCredentialsProvider, ProfileCredentialsProvider, ProfileTokenProvider, SdkTokenProviderChain, SsoAccessTokenProvider, SsoCredentialsProvider, SsoOidcTokenProvider, StaticCredentialsProvider, StaticTokenProvider, StsAssumeRoleCredentialsProvider, StsAssumeRoleWithSamlCredentialsProvider, StsAssumeRoleWithWebIdentityCredentialsProvider, StsCredentialsProvider, StsGetFederationTokenCredentialsProvider, StsGetSessionTokenCredentialsProvider, StsWebIdentityTokenFileCredentialsProvider, SystemPropertyCredentialsProvider, SystemSettingsCredentialsProvider, WebIdentityTokenFileCredentialsProvider

@SdkPublicApi
@ThreadSafe
public interface IdentityProvider<IdentityT extends Identity>

Interface for loading Identity that is used for authentication.

Identity providers are responsible for resolving credentials, tokens, or other authentication identities that are used by signers to authenticate requests. The SDK provides built-in identity providers for common identity types like AwsCredentialsIdentity and TokenIdentity.

Common Built-in Identity Providers

• DefaultCredentialsProvider - Resolves AWS credentials from the default credential chain
• StaticCredentialsProvider - Provides static AWS credentials
• ProfileCredentialsProvider - Resolves credentials from AWS profiles
• StsAssumeRoleCredentialsProvider - Assumes an IAM role using STS

How Identity Providers Work

Identity providers are selected by AuthSchemes based on the identity type they produce. The SDK matches the identity type required by the auth scheme with the appropriate provider from IdentityProviders.

Implementing a Custom Identity Provider

You can implement custom identity providers for specialized authentication scenarios, such as retrieving credentials from a custom credential store or implementing a custom token provider.

Example - Custom credentials provider:

public class CustomCredentialsProvider implements IdentityProvider<AwsCredentialsIdentity> {
    @Override
    public Class<AwsCredentialsIdentity> identityType() {
        return AwsCredentialsIdentity.class;
    }

    @Override
    public CompletableFuture<AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest request) {
        // Retrieve credentials from custom source
        String accessKeyId = retrieveAccessKeyFromCustomStore();
        String secretAccessKey = retrieveSecretKeyFromCustomStore();

        AwsCredentialsIdentity credentials = AwsBasicCredentials.create(accessKeyId, secretAccessKey);
        return CompletableFuture.completedFuture(credentials);
    }

    private String retrieveAccessKeyFromCustomStore() {
        // Custom implementation
    }

    private String retrieveSecretKeyFromCustomStore() {
        // Custom implementation
    }
}

// Configure on client
S3Client s3 = S3Client.builder()
    .region(Region.US_WEST_2)
    .credentialsProvider(new CustomCredentialsProvider())
    .build();

Using Identity Properties

Identity providers can read IdentityProperty values from the ResolveIdentityRequest to customize identity resolution based on request-specific parameters.

Example - Identity provider using properties:

public class RoleBasedCredentialsProvider implements IdentityProvider<AwsCredentialsIdentity> {
    public static final IdentityProperty<String> ROLE_ARN =
        IdentityProperty.create(RoleBasedCredentialsProvider.class, "RoleArn");

    @Override
    public Class<AwsCredentialsIdentity> identityType() {
        return AwsCredentialsIdentity.class;
    }

    @Override
    public CompletableFuture<AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest request) {
        // Read property from request
        String roleArn = request.property(ROLE_ARN);

        // Assume role and return credentials
        return assumeRoleAndGetCredentials(roleArn);
    }
}

See Also:

• Identity
• IdentityProviders
• IdentityProperty
• AuthScheme

Method Summary

Modifier and Type	Method	Description
Class<IdentityT>	identityType()	Retrieve the class of identity this identity provider produces.
default CompletableFuture<? extends IdentityT>	resolveIdentity()	Resolve the identity from this identity provider.
default CompletableFuture<? extends IdentityT>	resolveIdentity(Consumer<ResolveIdentityRequest.Builder> consumer)	Resolve the identity from this identity provider.
CompletableFuture<? extends IdentityT>	resolveIdentity(ResolveIdentityRequest request)	Resolve the identity from this identity provider.

Method Details

identityType

Class<IdentityT> identityType()

Retrieve the class of identity this identity provider produces. This is necessary for the SDK core to determine which identity provider should be used to resolve a specific type of identity.

resolveIdentity

CompletableFuture<? extends IdentityT> resolveIdentity(ResolveIdentityRequest request)

Resolve the identity from this identity provider.

Parameters:

request - The request to resolve an Identity

resolveIdentity

default CompletableFuture<? extends IdentityT> resolveIdentity(Consumer<ResolveIdentityRequest.Builder> consumer)

Resolve the identity from this identity provider. Similar to resolveIdentity(ResolveIdentityRequest), but takes a lambda to configure a new ResolveIdentityRequest.Builder. This removes the need to call ResolveIdentityRequest.builder() and SdkBuilder.build().

Parameters:

consumer - A Consumer to which an empty ResolveIdentityRequest.Builder will be given.

resolveIdentity

default CompletableFuture<? extends IdentityT> resolveIdentity()

Resolve the identity from this identity provider.