I had exact requirements for JAVA though there is a Spring framework flavour to it
**⚠️ one may do some tweaks to make it non spring boot based ⚠️**
I had created a blog relating to the almost same problem/ integration. Link [here][1]
The example code is on Github [here][2]
The code refreshes the AWS credentials just before expiry of the previous set of credentials. This action is configurable based on a simple boolean flag.
This approach, does not requires to create a customization around the build package to mandate the inclusion the [aws signing helper][3]
I hope you can use most of the code provided in the repo.
Happy to assist further
Example configuration:-
@Configuration public class AwsConfig { @Bean public AwsCredentialsProvider awsCredentialsProvider(final AwsRolesAnywhereProperties awsRolesAnywhereProperties, final ObjectMapper objectMapper) { var rolesAnywhereCredentialsProvider = new IAMRolesAnywhereSessionsCredentialsProvider .Builder(awsRolesAnywhereProperties, objectMapper) .asyncCredentialUpdateEnabled(true) .build(); return rolesAnywhereCredentialsProvider; } @Bean public AwsCredentialsProvider awsCredentialsProviderV2(final AwsRolesAnywhereProperties awsRolesAnywhereProperties, final ObjectMapper objectMapper) { var rolesAnywhereCredentialsProvider = new IAMRolesAnywhereSessionsCredentialsProvider .Builder(objectMapper) .roleArn(awsRolesAnywhereProperties.getRoleArn()) .profileArn(awsRolesAnywhereProperties.getProfileArn()) .trustAnchorArn(awsRolesAnywhereProperties.getTrustAnchorArn()) .encodedPrivateKey(awsRolesAnywhereProperties.getEncodedPrivateKey()) .encodedX509Certificate(awsRolesAnywhereProperties.getEncodedX509Certificate()) .durationSeconds(awsRolesAnywhereProperties.getDurationSeconds()) .region(awsRolesAnywhereProperties.getRegion()) .asyncCredentialUpdateEnabled(true) .prefetch(true) .build(); return rolesAnywhereCredentialsProvider; } // pass the credentials provider as anyone would generally do @Bean S3Client s3Client(final AwsCredentialsProvider awsCredentialsProvider, final AwsRolesAnywhereProperties awsRolesAnywhereProperties) { return S3Client.builder().credentialsProvider(awsCredentialsProvider).region(Region.of(awsRolesAnywhereProperties.getRegion())).build(); } }
Example application properties, strictly coupled with `AwsRolesAnywhereProperties`
# AWS account id aws.account.id=111111111111 # AWS region for the aws roles anywhere, actual AWS resource client may use a different region aws.roles.anywhere.region=us-east-1 # AWS IAM roles anywhere trusted role aws.roles.anywhere.role-arn=arn:aws:iam::${aws.account.id}:role/ROLES_ANYWHERE_S3_READ_ONLY # AWS IAM roles anywhere profile aws.roles.anywhere.profile-arn=arn:aws:rolesanywhere:us-east-1:${aws.account.id}:profile/a-random-long-id # AWS IAM roles anywhere trust anchor aws.roles.anywhere.trust-anchor-arn=arn:aws:rolesanywhere:us-east-1:${aws.account.id}:trust-anchor/a-random-long-id # AWS IAM roles anywhere session duration aws.roles.anywhere.duration-seconds=900 # AWS IAM roles anywhere access related private key, in pem format, base 64 encoded aws.roles.anywhere.encoded-private-key=removed for security and brevity # AWS IAM roles anywhere access related X509 Cert, in pem format, base 64 encoded aws.roles.anywhere.encoded-x509-certificate=removed for security and brevity

[1]: https://neuw.medium.com/spring-boot-aws-roles-anywhere-quick-guide-fb9e85db9c20?sk=957ad57866d702cccd861d7cade4b234 [2]: https://github.com/krnbr/aws-iam-rolesanywhere [3]: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html

I have create a blog relating to the same problem. Link [here][1]
The example code repository is [here][2]
Explaining all the details here is not straight forward, But few insights to the code is shared below.
The code refreshes the AWS credentials just before expiry of the previous set of credentials.
With this approach, no need to create a customization around the build package to mandatory include the [aws signing helper][3]
Example configuration:-
@Configuration public class AwsConfig { @Bean public AwsCredentialsProvider awsCredentialsProvider(final AwsRolesAnywhereProperties awsRolesAnywhereProperties, final ObjectMapper objectMapper) { var rolesAnywhereCredentialsProvider = new IAMRolesAnywhereSessionsCredentialsProvider .Builder(awsRolesAnywhereProperties, objectMapper) .asyncCredentialUpdateEnabled(true) .build(); return rolesAnywhereCredentialsProvider; } @Bean public AwsCredentialsProvider awsCredentialsProviderV2(final AwsRolesAnywhereProperties awsRolesAnywhereProperties, final ObjectMapper objectMapper) { var rolesAnywhereCredentialsProvider = new IAMRolesAnywhereSessionsCredentialsProvider .Builder(objectMapper) .roleArn(awsRolesAnywhereProperties.getRoleArn()) .profileArn(awsRolesAnywhereProperties.getProfileArn()) .trustAnchorArn(awsRolesAnywhereProperties.getTrustAnchorArn()) .encodedPrivateKey(awsRolesAnywhereProperties.getEncodedPrivateKey()) .encodedX509Certificate(awsRolesAnywhereProperties.getEncodedX509Certificate()) .durationSeconds(awsRolesAnywhereProperties.getDurationSeconds()) .region(awsRolesAnywhereProperties.getRegion()) .asyncCredentialUpdateEnabled(true) .prefetch(true) .build(); return rolesAnywhereCredentialsProvider; } // pass the credentials provider as anyone would generally do @Bean S3Client s3Client(final AwsCredentialsProvider awsCredentialsProvider, final AwsRolesAnywhereProperties awsRolesAnywhereProperties) { return S3Client.builder().credentialsProvider(awsCredentialsProvider).region(Region.of(awsRolesAnywhereProperties.getRegion())).build(); } }
Example application properties, strictly coupled with `AwsRolesAnywhereProperties`
# AWS account id aws.account.id=111111111111 # AWS region for the aws roles anywhere, actual AWS resource client may use a different region aws.roles.anywhere.region=us-east-1 # AWS IAM roles anywhere trusted role aws.roles.anywhere.role-arn=arn:aws:iam::${aws.account.id}:role/ROLES_ANYWHERE_S3_READ_ONLY # AWS IAM roles anywhere profile aws.roles.anywhere.profile-arn=arn:aws:rolesanywhere:us-east-1:${aws.account.id}:profile/a-random-long-id # AWS IAM roles anywhere trust anchor aws.roles.anywhere.trust-anchor-arn=arn:aws:rolesanywhere:us-east-1:${aws.account.id}:trust-anchor/a-random-long-id # AWS IAM roles anywhere session duration aws.roles.anywhere.duration-seconds=900 # AWS IAM roles anywhere access related private key, in pem format, base 64 encoded aws.roles.anywhere.encoded-private-key=removed for security and brevity # AWS IAM roles anywhere access related X509 Cert, in pem format, base 64 encoded aws.roles.anywhere.encoded-x509-certificate=removed for security and brevity

[1]: https://neuw.medium.com/spring-boot-aws-roles-anywhere-quick-guide-fb9e85db9c20?sk=957ad57866d702cccd861d7cade4b234 [2]: https://github.com/krnbr/aws-iam-rolesanywhere [3]: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html