How to use AWS SSO session credentials in Talend job
In Talend there are multiple components are available to access AWS resources such as AWS S3, SNS, SQS, etc. In order to create a connection with AWS, Talend provides several authentication mechanisms.
Few of them are as follows.
- Access Key and Secret Key
- Inherit credentials from AWS role
- Assume role
These authentication mechanisms come in handy when it comes to production ready job.
But if you are using AWS with Single Sign-On enabled, you might end up with no-option to test the job locally with available authentication mechanisms. Though AWS SSO provides you with session credentials to access AWS resources programmatically, you have no option to configure those credentials with available Talend components. This post will brief about a remedy for this limitation.
Let’s see a basic Talend AWS SQS connection.
As it can be seen, SQS connection uses Access Key and Secret Key authentication. Talend use AWS Java SDK under the hood to use AWS resources. So that means this job design generate Java code which contains all this SDK connection, etc. You can see this generated code from Code tab.
But this code is not allowed to edit within Talend. Therefore it is possible to extract this code and run after modification. In order to get the whole source code out, build the job with Java sources check-box checked.
Then this Java sources can be modified according to the requirement. Let’s modify the SQS AWS connection configuration.
com.amazonaws.auth.AWSCredentials credentials_tSQSConnection_1 = new com.amazonaws.auth.BasicAWSCredentials("abcdefghijklmnopqrst",decryptedPassword_tSQSConnection_1);
As it can be seen, Talend uses the BasicAWSCredentials AWS SDK API to connect with AWS. Let’s replace it with BasicSessionCredentials to use with AWS SSO session credentials.
com.amazonaws.auth.AWSCredentials credentials_tSQSConnection_1 = new com.amazonaws.auth.BasicSessionCredentials("your_awsAccessKey", "your_awsSecretKey", "your_sessionToken");
Then create a JAR of the modified code with the same names and replace it with Talend created jar in your build directory, so you can use the scripts that Talend created for you without any modification.
NOTE: This modification is only for local testing purpose which is NOT suitable for production deployment as session credentials expires after some time.