In our application we are using InstanceProfileCredentialsProvider to access Amazon S3 buckets, but in some of our environments credentials are messed up.
AWS documentation (https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-roles.html) reads:
If your application creates an AWS client using the default constructor, then the client will search for credentials using the default credentials provider chain, in the following order:
- In the Java system properties: aws.accessKeyId and aws.secretKey.
- In system environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
- In the default credentials file (the location of this file varies by platform).
- Credentials delivered through the Amazon EC2 container service if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set and security manager has permission to access the variable.
- In the instance profile credentials, which exist within the instance metadata associated with the IAM role for the EC2 instance.
- Web Identity Token credentials from the environment or container.
Is there a way to know where specifically InstanceProfileCredentialsProvider gets the credentials? From the look at its source code, it's quite discreet and doesn't share much details though either API or logging.