awspring
diff --git a/‎docs/src/main/asciidoc/_configprops.adoc
Lines changed: 10 additions & 6 deletions b/‎docs/src/main/asciidoc/_configprops.adoc
Lines changed: 10 additions & 6 deletions
diff --git a/‎docs/src/main/asciidoc/core.adoc
Lines changed: 53 additions & 1 deletion b/‎docs/src/main/asciidoc/core.adoc
Lines changed: 53 additions & 1 deletion
diff --git a/‎spring-cloud-aws-autoconfigure/pom.xml
Lines changed: 5 additions & 0 deletions b/‎spring-cloud-aws-autoconfigure/pom.xml
Lines changed: 5 additions & 0 deletions
diff --git a/‎spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/config/AbstractAwsConfigDataLocationResolver.java
Lines changed: 12 additions & 9 deletions b/‎spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/config/AbstractAwsConfigDataLocationResolver.java
Lines changed: 12 additions & 9 deletions
diff --git a/‎spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/core/CredentialsProperties.java
Lines changed: 17 additions & 0 deletions b/‎spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/core/CredentialsProperties.java
Lines changed: 17 additions & 0 deletions
diff --git a/‎spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/core/CredentialsProviderAutoConfiguration.java
Lines changed: 49 additions & 4 deletions b/‎spring-cloud-aws-autoconfigure/src/main/java/io/awspring/cloud/autoconfigure/core/CredentialsProviderAutoConfiguration.java
Lines changed: 49 additions & 4 deletions
@@ -4,9 +4,13 @@
 |spring.cloud.aws.cloudwatch.endpoint |  | Overrides the default endpoint.
 |spring.cloud.aws.cloudwatch.region |  | Overrides the default region.
 |spring.cloud.aws.credentials.access-key |  | The access key to be used with a static provider.
-|spring.cloud.aws.credentials.instance-profile | `+++false+++` | Configures an instance profile credentials provider with no further configuration.
+|spring.cloud.aws.credentials.instance-profile |  | Configures an instance profile credentials provider with no further configuration.
 |spring.cloud.aws.credentials.profile |  | The AWS profile.
 |spring.cloud.aws.credentials.secret-key |  | The secret key to be used with a static provider.
+|spring.cloud.aws.credentials.sts.async-credentials-update |  | 
+|spring.cloud.aws.credentials.sts.role-arn |  | ARN of IAM role associated with STS. If not provided this will be read from {@link software.amazon.awssdk.core.SdkSystemSetting}.
+|spring.cloud.aws.credentials.sts.role-session-name |  | Role session name that will be used by credentials provider. By default this is read from {@link software.amazon.awssdk.core.SdkSystemSetting}.
+|spring.cloud.aws.credentials.sts.web-identity-token-file |  | Absolute path to the web identity token file that will be used by credentials provider. By default this will be read from {@link software.amazon.awssdk.core.SdkSystemSetting}.
 |spring.cloud.aws.defaults-mode |  | Sets the {@link DefaultsMode} that will be used to determine how certain default configuration options are resolved in the SDK. <a href= "https://aws.amazon.com/blogs/developer/introducing-smart-configuration-defaults-in-the-aws-sdk-for-java-v2/">Introducing Smart Configuration Defaults in the AWS SDK for Java v2</a>
 |spring.cloud.aws.dualstack-enabled |  | Configure whether the SDK should use the AWS dualstack endpoint.
 |spring.cloud.aws.dynamodb.dax.cluster-update-interval-millis |  | Interval between polling of cluster members for membership changes.
@@ -29,10 +33,10 @@
 |spring.cloud.aws.fips-enabled |  | Configure whether the SDK should use the AWS fips endpoints.
 |spring.cloud.aws.parameterstore.endpoint |  | Overrides the default endpoint.
 |spring.cloud.aws.parameterstore.region |  | Overrides the default region.
-|spring.cloud.aws.parameterstore.reload.max-wait-for-restart | `+++2s+++` | If {@link ReloadStrategy#RESTART_CONTEXT} is configured, maximum waiting time for server restart.
-|spring.cloud.aws.parameterstore.reload.period | `+++1m+++` | Refresh period for {@link PollingAwsPropertySourceChangeDetector}.
+|spring.cloud.aws.parameterstore.reload.max-wait-for-restart |  | If {@link ReloadStrategy#RESTART_CONTEXT} is configured, maximum waiting time for server restart.
+|spring.cloud.aws.parameterstore.reload.period |  | Refresh period for {@link PollingAwsPropertySourceChangeDetector}.
 |spring.cloud.aws.parameterstore.reload.strategy |  | Reload strategy to run when properties change.
-|spring.cloud.aws.region.instance-profile | `+++false+++` | Configures an instance profile region provider with no further configuration.
+|spring.cloud.aws.region.instance-profile |  | Configures an instance profile region provider with no further configuration.
 |spring.cloud.aws.region.profile |  | The AWS profile.
 |spring.cloud.aws.region.static |  | 
 |spring.cloud.aws.s3.accelerate-mode-enabled |  | Option to enable using the accelerate endpoint when accessing S3. Accelerate endpoints allow faster transfer of objects by using Amazon CloudFront's globally distributed edge locations.
@@ -51,8 +55,8 @@
 |spring.cloud.aws.s3.use-arn-region-enabled |  | If an S3 resource ARN is passed in as the target of an S3 operation that has a different region to the one the client was configured with, this flag must be set to 'true' to permit the client to make a cross-region call to the region specified in the ARN otherwise an exception will be thrown.
 |spring.cloud.aws.secretsmanager.endpoint |  | Overrides the default endpoint.
 |spring.cloud.aws.secretsmanager.region |  | Overrides the default region.
-|spring.cloud.aws.secretsmanager.reload.max-wait-for-restart | `+++2s+++` | If {@link ReloadStrategy#RESTART_CONTEXT} is configured, maximum waiting time for server restart.
-|spring.cloud.aws.secretsmanager.reload.period | `+++1m+++` | Refresh period for {@link PollingAwsPropertySourceChangeDetector}.
+|spring.cloud.aws.secretsmanager.reload.max-wait-for-restart |  | If {@link ReloadStrategy#RESTART_CONTEXT} is configured, maximum waiting time for server restart.
+|spring.cloud.aws.secretsmanager.reload.period |  | Refresh period for {@link PollingAwsPropertySourceChangeDetector}.
 |spring.cloud.aws.secretsmanager.reload.strategy |  | Reload strategy to run when properties change.
 |spring.cloud.aws.ses.enabled | `+++true+++` | Enables Simple Email Service integration.
 |spring.cloud.aws.ses.endpoint |  | Overrides the default endpoint.
 
@@ -26,6 +26,21 @@ public interface AwsCredentialsProvider {
 }
 ----
 
+There are 3 ways in which the `AwsCredentialsProvider` in Spring Cloud AWS can be configured:
+
+1. `DefaultCredentialsProvider`
+2. `StsWebIdentityTokenFileCredentialsProvider` - recommended for EKS
+3. Custom `AwsCredentialsProvider`
+
+If you are having problems with configuring credentials, consider enabling debug logging for more info:
+
+[source,properties]
+----
+logging.level.io.awspring.cloud=debug
+----
+
+==== DefaultCredentialsProvider
+
 By default, Spring Cloud AWS starter auto-configures a `DefaultCredentialsProvider`, which looks for AWS credentials in this order:
 
 1. Java System Properties - `aws.accessKeyId` and `aws.secretAccessKey`
@@ -61,9 +76,46 @@ If it does not serve your project needs, this behavior can be changed by setting
 
 |spring.cloud.aws.credentials.profile.path
 |`~/.aws/credentials`
-|The file path where the profile configuration file is located. Defaults to `~/.aws/credentials` if value is not provided
+|The file path where the profile configuration file is located. Defaults to `~/.aws/credentials` if a value is not provided
 |===
 
+==== StsWebIdentityTokenFileCredentialsProvider
+
+The `StsWebIdentityTokenFileCredentialsProvider` allows your application to assume an AWS IAM Role using a web identity token file, which is especially useful in Kubernetes and AWS EKS environments.
+
+===== Prerequisites
+1. Create a role that you want to assume.
+2. Create a web identity token file for your application.
+
+In EKS, please follow this guide to set up service accounts https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html
+
+The `StsWebIdentityTokenFileCredentialsProvider` support is optional, so you need to include the following Maven dependency:
+[source,xml,indent=0]
+----
+<dependency>
+	<groupId>software.amazon.awssdk</groupId>
+	<artifactId>sts</artifactId>
+</dependency>
+----
+
+
+===== Configuring
+In EKS no additional configuration is required as the service account already configures the correct environment variables; however, they can be overridden.
+
+STS credentials configuration supports following properties:
+
+[cols="2,3,1,1"]
+|===
+| Name | Description | Required | Default value
+| `spring.cloud.aws.credentials.sts.role-arn` | ARN of IAM role associated with STS. | No | `null` (falls back to SDK default)
+| `spring.cloud.aws.credentials.sts.web-identity-token-file` | Absolute path to the web identity token file that will be used by credentials provider. | No | `null` (falls back to SDK default)
+| `spring.cloud.aws.credentials.sts.is-async-credentials-update` | Enables provider to asynchronously fetch credentials in the background. | No | `false`
+| `spring.cloud.aws.credentials.sts.role-session-name` | Role session name that will be used by credentials provider. | No | `null` (falls back to SDK default)
+|===
+
+
+==== Custom AwsCredentialsProvider
+
 It is also possible to configure custom `AwsCredentialsProvider` bean which will prevent Spring Cloud AWS from auto-configuring credentials provider:
 
 [source,java,indent=0]
 
@@ -146,6 +146,11 @@
 			<artifactId>spring-boot-starter-aop</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>software.amazon.awssdk</groupId>
+			<artifactId>sts</artifactId>
+			<optional>true</optional>
+		</dependency>
 
 	</dependencies>
 </project>
@@ -15,10 +15,11 @@
  */
 package io.awspring.cloud.autoconfigure.config;
 
+import static io.awspring.cloud.autoconfigure.core.CredentialsProviderAutoConfiguration.createCredentialsProvider;
+
 import io.awspring.cloud.autoconfigure.AwsClientProperties;
 import io.awspring.cloud.autoconfigure.core.AwsProperties;
 import io.awspring.cloud.autoconfigure.core.CredentialsProperties;
-import io.awspring.cloud.autoconfigure.core.CredentialsProviderAutoConfiguration;
 import io.awspring.cloud.autoconfigure.core.RegionProperties;
 import io.awspring.cloud.autoconfigure.core.RegionProviderAutoConfiguration;
 import io.awspring.cloud.core.SpringCloudClientConfiguration;
@@ -48,6 +49,7 @@
  *
  * @param <T> - the location type
  * @author Maciej Walkowiak
+ * @author Eduan Bekker
  * @since 3.0
  */
 public abstract class AbstractAwsConfigDataLocationResolver<T extends ConfigDataResource>
@@ -116,24 +118,25 @@ protected List<String> getCustomContexts(String keys) {
 
 	protected <T extends AwsClientBuilder<?, ?>> T configure(T builder, AwsClientProperties properties,
 			BootstrapContext context) {
-		AwsCredentialsProvider credentialsProvider;
+
+		AwsRegionProvider regionProvider;
 
 		try {
-			credentialsProvider = context.get(AwsCredentialsProvider.class);
+			regionProvider = context.get(AwsRegionProvider.class);
 		}
 		catch (IllegalStateException e) {
-			CredentialsProperties credentialsProperties = context.get(CredentialsProperties.class);
-			credentialsProvider = CredentialsProviderAutoConfiguration.createCredentialsProvider(credentialsProperties);
+			RegionProperties regionProperties = context.get(RegionProperties.class);
+			regionProvider = RegionProviderAutoConfiguration.createRegionProvider(regionProperties);
 		}
 
-		AwsRegionProvider regionProvider;
+		AwsCredentialsProvider credentialsProvider;
 
 		try {
-			regionProvider = context.get(AwsRegionProvider.class);
+			credentialsProvider = context.get(AwsCredentialsProvider.class);
 		}
 		catch (IllegalStateException e) {
-			RegionProperties regionProperties = context.get(RegionProperties.class);
-			regionProvider = RegionProviderAutoConfiguration.createRegionProvider(regionProperties);
+			CredentialsProperties credentialsProperties = context.get(CredentialsProperties.class);
+			credentialsProvider = createCredentialsProvider(credentialsProperties, regionProvider);
 		}
 
 		AwsProperties awsProperties = context.get(AwsProperties.class);
 
@@ -16,6 +16,7 @@
 package io.awspring.cloud.autoconfigure.core;
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.NestedConfigurationProperty;
 import org.springframework.lang.Nullable;
 
 /**
@@ -55,6 +56,14 @@ public class CredentialsProperties {
 	@Nullable
 	private Profile profile;
 
+	/**
+	 * Properties used to configure STS
+	 * {@link software.amazon.awssdk.services.sts.auth.StsWebIdentityTokenFileCredentialsProvider}.
+	 */
+	@NestedConfigurationProperty
+	@Nullable
+	private StsProperties sts;
+
 	@Nullable
 	public String getAccessKey() {
 		return this.accessKey;
@@ -90,4 +99,12 @@ public void setProfile(Profile profile) {
 		this.profile = profile;
 	}
 
+	@Nullable
+	public StsProperties getSts() {
+		return sts;
+	}
+
+	public void setSts(@Nullable StsProperties sts) {
+		this.sts = sts;
+	}
 }
@@ -18,12 +18,17 @@
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.context.annotation.Bean;
+import org.springframework.lang.Nullable;
+import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
@@ -33,31 +38,40 @@
 import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.profiles.ProfileFile;
+import software.amazon.awssdk.regions.providers.AwsRegionProvider;
+import software.amazon.awssdk.services.sts.StsClient;
+import software.amazon.awssdk.services.sts.auth.StsWebIdentityTokenFileCredentialsProvider;
 
 /**
  * {@link EnableAutoConfiguration} for {@link AwsCredentialsProvider}.
  *
  * @author Maciej Walkowiak
  * @author Eddú Meléndez
+ * @author Eduan Bekker
  */
 @AutoConfiguration
 @ConditionalOnClass({ AwsCredentialsProvider.class, ProfileFile.class })
+@ConditionalOnMissingBean(AwsCredentialsProvider.class)
 @EnableConfigurationProperties(CredentialsProperties.class)
 public class CredentialsProviderAutoConfiguration {
+	private static final Logger LOGGER = LoggerFactory.getLogger(CredentialsProviderAutoConfiguration.class);
+	private static final String STS_WEB_IDENTITY_TOKEN_FILE_CREDENTIALS_PROVIDER = "software.amazon.awssdk.services.sts.auth.StsWebIdentityTokenFileCredentialsProvider";
 
 	private final CredentialsProperties properties;
+	private final AwsRegionProvider regionProvider;
 
-	public CredentialsProviderAutoConfiguration(CredentialsProperties properties) {
+	public CredentialsProviderAutoConfiguration(CredentialsProperties properties, AwsRegionProvider regionProvider) {
 		this.properties = properties;
+		this.regionProvider = regionProvider;
 	}
 
 	@Bean
-	@ConditionalOnMissingBean
 	public AwsCredentialsProvider credentialsProvider() {
-		return createCredentialsProvider(this.properties);
+		return createCredentialsProvider(this.properties, this.regionProvider);
 	}
 
-	public static AwsCredentialsProvider createCredentialsProvider(CredentialsProperties properties) {
+	public static AwsCredentialsProvider createCredentialsProvider(CredentialsProperties properties,
+			AwsRegionProvider regionProvider) {
 		final List<AwsCredentialsProvider> providers = new ArrayList<>();
 
 		if (StringUtils.hasText(properties.getAccessKey()) && StringUtils.hasText(properties.getSecretKey())) {
@@ -73,6 +87,17 @@ public static AwsCredentialsProvider createCredentialsProvider(CredentialsProper
 			providers.add(createProfileCredentialProvider(profile));
 		}
 
+		StsProperties sts = properties.getSts();
+		if (ClassUtils.isPresent(STS_WEB_IDENTITY_TOKEN_FILE_CREDENTIALS_PROVIDER, null)) {
+			try {
+				providers.add(StsCredentialsProviderFactory.create(sts, regionProvider));
+			}
+			catch (IllegalStateException e) {
+				LOGGER.warn(
+						"Skipping creating `StsCredentialsProvider`. `software.amazon.awssdk:sts` is on the classpath, but neither `spring.cloud.aws.credentials.sts` properties are configured nor `AWS_WEB_IDENTITY_TOKEN_FILE` or the javaproperty `aws.webIdentityTokenFile` is set");
+			}
+		}
+
 		if (providers.isEmpty()) {
 			return DefaultCredentialsProvider.create();
 		}
@@ -101,4 +126,24 @@ private static ProfileCredentialsProvider createProfileCredentialProvider(Profil
 		return ProfileCredentialsProvider.builder().profileName(profile.getName()).profileFile(profileFile).build();
 	}
 
+	/**
+	 * Wrapper class to avoid {@link NoClassDefFoundError}.
+	 */
+	private static class StsCredentialsProviderFactory {
+		private static AwsCredentialsProvider create(@Nullable StsProperties stsProperties,
+				AwsRegionProvider regionProvider) {
+			PropertyMapper propertyMapper = PropertyMapper.get();
+			StsWebIdentityTokenFileCredentialsProvider.Builder builder = StsWebIdentityTokenFileCredentialsProvider
+					.builder().stsClient(StsClient.builder().region(regionProvider.getRegion()).build());
+
+			if (stsProperties != null) {
+				builder.asyncCredentialUpdateEnabled(stsProperties.isAsyncCredentialsUpdate());
+				propertyMapper.from(stsProperties::getRoleArn).whenNonNull().to(builder::roleArn);
+				propertyMapper.from(stsProperties::getWebIdentityTokenFile).whenNonNull()
+						.to(b -> builder.webIdentityTokenFile(Paths.get(b)));
+				propertyMapper.from(stsProperties::getRoleSessionName).whenNonNull().to(builder::roleSessionName);
+			}
+			return builder.build();
+		}
+	}
 }