Credentials

Credentials are not managed identically and depend on the selected store provider. See Stores Properties for properties definitions.

Azure Blob

Credentials are managed in the following order:
  1. Connection String (az.connectionString). Connection String includes endpoint.
  2. StorageSharedKeyCredential using account name and account key (az.accountName , az.accountKey) using calculated endpoint. For more information, refer to Stores Properties.
  3. SAS token (az.sasToken)
  4. Managed Identity (az.managedIdentityId)
  5. Workload Identity (az.workloadIdentityId, optional: az.workloadTenantId, az.workloadServiceTokenFilePath) – Only available if running inside Azure
  6. Environment variables credentials

Google Storage

Only the Google Account generated json credential file can be used. Set property gs.credentialsPath to locate this file.

IBM Cloud Object Storage

Credentials are managed in the following order:
  1. Json credentials file path (cos.credentialsPath)
  2. BasicIBMOAuthCredentials using Api key and service Id (cos.apiKey, cos.serviceId)
  3. BasicAWSCredentials using hmac access key and secret key (cos.hmacAccessKey, cos.hmacSecretKey)
  4. ProfileCredentialsProvider using profile path and profile name (cos.profilePath, cos.profileName)
  5. The default credentials provider chain
    1. Environment Variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    2. Java System Properties aws.accessKeyId and aws.secretKey
    3. JSON credential file at the default location (~/.bluemix/cos_credentials)
    4. Web Identity Token credentials from the environment or container.
    5. Credential profiles file at the default location (~/.aws/credentials)
    6. Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable
    7. Instance profile credentials delivered through the Amazon EC2 metadata service

Amazon S3

Credentials are managed in the following order:
  1. AwsBasicCredentials using hmac access key and secret key (s3.accessKey, s3.secretKey)
  2. ProfileCredentialsProvider using profile path and profile name (s3.profilePath,s3.configPath,s3.profileName)
  3. The default credentials provider chain
    1. Environment Variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    2. Java System Properties aws.accessKeyId and aws.secretKey
    3. Web Identity Token credentials from the environment or container
    4. Credential profiles file at the default location (~/.aws/credentials)
    5. Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable.
    6. Instance profile credentials delivered through the Amazon EC2 metadata service

Using S3 Role

It is possible to use the role arn mechanism directly inside profiles or specify it thru properties. When provided thru properties, a Secure Token Service client will be created to get temporary credentials the same way the profile mechanism does.

To provide the role properties, the following properties can be used:
  • s3.roleArn
  • s3.roleProfile
  • s3.roleDuration (optional)

Credentials refresh

When a profile entry is updated in either the credentials or config file, whatever they are located in their default location or in a particular location (using s3.profilePath, s3.configPath), credentials will be validated again.

When refreshed, credentials may abort the current process if they became invalid.