Full Stack • Java • System Design • Cloud • AI Engineering

IAM Roles and Policies for Spring Boot Applications

Learn AWS IAM Roles and Policies from a Spring Boot developer's perspective. This guide covers IAM users, roles, policies, STS, least privilege, EC2 instance profiles, ECS task roles, EKS IRSA, and secure AWS service access without storing credentials.

Introduction

Security is one of the most important aspects of every cloud application.

A Spring Boot application may need access to AWS services such as:

  • Amazon S3
  • Amazon RDS IAM Authentication
  • Amazon SQS
  • Amazon SNS
  • AWS Secrets Manager
  • AWS Systems Manager
  • Amazon DynamoDB
  • Amazon OpenSearch
  • CloudWatch
  • AWS KMS

Many beginners hardcode AWS Access Keys inside:

application.yml

application.properties

or

accessKey=AKIAxxxxxxxx

secretKey=xxxxxxxxxxxxxxxx

This is one of the biggest security mistakes.

AWS recommends using IAM Roles instead of storing credentials.

In this article, we will learn how Spring Boot applications securely access AWS services using IAM Roles and Policies.

Learning Objectives

After completing this article, you will understand:

  • What is IAM?
  • IAM Users
  • IAM Groups
  • IAM Roles
  • IAM Policies
  • Identity Policies
  • Resource Policies
  • Least Privilege Principle
  • STS Temporary Credentials
  • EC2 Instance Profile
  • ECS Task Role
  • EKS IAM Roles for Service Accounts (IRSA)
  • Spring Boot Integration
  • Production Best Practices

What is IAM?

IAM stands for

Identity and Access Management

IAM controls:

  • Who can access AWS
  • What resources they can access
  • Which actions they can perform
  • When access is allowed

Why IAM?

Without IAM:

  • Anyone with credentials can access resources.
  • Applications may receive unnecessary permissions.
  • Credentials may be leaked.

With IAM:

  • Fine-grained permissions
  • Temporary credentials
  • Better auditing
  • Improved security

IAM Architecture

flowchart LR
    User

    IAM

    AWSService

    User --> IAM
    IAM --> AWSService

Enterprise Architecture

flowchart TD

Developer

GitHub

SpringBoot

IAMRole

AWSServices

Developer --> GitHub
GitHub --> SpringBoot
SpringBoot --> IAMRole
IAMRole --> AWSServices

IAM Components

Component Purpose
User Human Identity
Group Collection of Users
Role Temporary Identity
Policy Permission Document
STS Temporary Credentials
Instance Profile IAM Role for EC2

IAM User

Represents a person.

Example:

venu-admin

A user may have:

  • Password
  • Access Keys
  • MFA

IAM Users are generally not used directly by applications running on AWS.

IAM Group

Groups simplify permission management.

Example:

Developers

Admins

DevOps

Assign policies to the group instead of each user.

IAM Role

IAM Roles are temporary identities assumed by AWS services.

Examples:

  • EC2
  • ECS
  • EKS
  • Lambda
  • CodeBuild

A role has no long-term credentials.

IAM Role Architecture

flowchart LR

SpringBoot

IAMRole

SecretsManager

SpringBoot --> IAMRole
IAMRole --> SecretsManager

Why Roles Instead of Access Keys?

❌ Bad Practice

Spring Boot

↓

Access Key

↓

AWS

Problems:

  • Hardcoded credentials
  • Secret rotation
  • Credential leakage
  • Compliance issues

✅ Best Practice

Spring Boot

↓

IAM Role

↓

Temporary Credentials

↓

AWS

IAM Policy

Policies define permissions.

Example:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::codewithvenu-assets/*"
    }
  ]
}

Policy Structure

Every policy contains:

  • Version
  • Statement
  • Effect
  • Action
  • Resource
  • Condition (Optional)

Effect

Possible values:

Allow

Deny

Action

Examples:

s3:GetObject

sqs:SendMessage

sns:Publish

dynamodb:GetItem

Resource

Examples:

arn:aws:s3:::codewithvenu-assets/*

or

arn:aws:sqs:us-east-1:123456789012:orders

Least Privilege Principle

Always grant the minimum permissions required.

Example

Instead of:

s3:*

Grant only:

s3:GetObject

s3:PutObject

Managed Policies

AWS provides predefined policies.

Examples:

  • AmazonS3ReadOnlyAccess
  • AmazonSQSFullAccess
  • CloudWatchReadOnlyAccess

Useful for learning.

Customer Managed Policies

Recommended for production.

Benefits:

  • Fine-grained control
  • Reusable
  • Versioned
  • Least privilege

IAM Evaluation Flow

flowchart TD

Request

IAMPolicy

Allow

Deny

AWSService

Request --> IAMPolicy
IAMPolicy --> Allow
IAMPolicy --> Deny

Allow --> AWSService

Explicit Deny always overrides Allow.

STS (Security Token Service)

STS issues temporary credentials.

Benefits:

  • Automatically rotated
  • Short-lived
  • More secure than access keys

Applications receive:

  • Access Key
  • Secret Key
  • Session Token

All temporary.

EC2 Instance Profile

Attach an IAM Role to an EC2 instance.

flowchart LR

EC2

InstanceProfile

IAMRole

AWS

EC2 --> InstanceProfile
InstanceProfile --> IAMRole
IAMRole --> AWS

Spring Boot automatically receives credentials.

No configuration required.

ECS Task Role

For containerized applications.

ECS Task

↓

Task Role

↓

AWS Services

Each ECS Task can have its own IAM Role.

EKS IAM Roles for Service Accounts (IRSA)

Kubernetes applications should use IRSA.

Pod

↓

Service Account

↓

IAM Role

↓

AWS

Avoids sharing node credentials.

Lambda Execution Role

Every Lambda function should have its own IAM Role.

Example permissions:

  • Read Secrets
  • Publish SNS
  • Read S3

Spring Boot AWS SDK

Dependency

<dependency>
    <groupId>software.amazon.awssdk</groupId>
    <artifactId>s3</artifactId>
</dependency>

Credentials Provider

Use the default provider chain.

S3Client client = S3Client.builder()
        .build();

Do not specify Access Keys.

AWS automatically retrieves temporary credentials from the attached IAM Role.

Credential Provider Chain

Order:

  1. Environment Variables
  2. AWS Profile
  3. EC2 Instance Profile
  4. ECS Task Role
  5. EKS IRSA

The SDK automatically selects the appropriate source.

Spring Boot Architecture

flowchart TD

Browser

ALB

SpringBoot

IAMRole

SecretsManager

S3

Browser --> ALB
ALB --> SpringBoot

SpringBoot --> IAMRole

IAMRole --> SecretsManager
IAMRole --> S3

Common IAM Permissions

AWS Service Permission
S3 GetObject, PutObject
Secrets Manager GetSecretValue
SQS SendMessage, ReceiveMessage
SNS Publish
DynamoDB GetItem, PutItem
CloudWatch PutMetricData

Monitoring

Monitor IAM using:

  • AWS CloudTrail
  • IAM Access Analyzer
  • AWS Config
  • CloudWatch

Audit:

  • Login attempts
  • Policy changes
  • Role assumptions

Common Errors

Access Denied

Cause:

Missing IAM permission.

Solution:

Grant the required action.

Invalid Credentials

Cause:

Hardcoded or expired credentials.

Solution:

Use IAM Roles.

Role Not Attached

Verify:

EC2 Instance Profile

or

ECS Task Role

or

IRSA configuration.

Production Architecture

flowchart TD

Users

CloudFront

AWSWAF

ALB

SpringBoot

IAMRole

SecretsManager

SQS

SNS

S3

CloudWatch

Users --> CloudFront
CloudFront --> AWSWAF
AWSWAF --> ALB
ALB --> SpringBoot

SpringBoot --> IAMRole

IAMRole --> SecretsManager
IAMRole --> SQS
IAMRole --> SNS
IAMRole --> S3

SpringBoot --> CloudWatch

Best Practices

  • Never hardcode AWS Access Keys
  • Always use IAM Roles
  • Follow the Least Privilege Principle
  • Use Customer Managed Policies
  • Enable MFA for administrators
  • Rotate credentials automatically
  • Enable CloudTrail
  • Review unused permissions regularly
  • Use IAM Access Analyzer
  • Use STS temporary credentials
  • Separate development and production roles
  • Audit IAM policies periodically

Developer Checklist

Before deploying Spring Boot:

  • IAM Role created
  • Least privilege policy attached
  • EC2 Instance Profile configured
  • ECS Task Role configured (if using ECS)
  • IRSA configured (if using EKS)
  • CloudTrail enabled
  • Access Analyzer enabled
  • No hardcoded credentials
  • AWS SDK DefaultCredentialsProvider used
  • Required permissions tested

Interview Questions

What is IAM?

IAM is AWS Identity and Access Management, used to securely control authentication and authorization for AWS resources.

Difference between IAM User and IAM Role?

IAM User IAM Role
Long-term identity Temporary identity
Access keys/password Temporary credentials
Human users AWS services & applications

Why should Spring Boot applications use IAM Roles?

IAM Roles eliminate hardcoded credentials, automatically rotate temporary credentials, and follow AWS security best practices.

What is the Principle of Least Privilege?

Grant only the minimum permissions required to perform a task.

What is STS?

AWS Security Token Service issues temporary security credentials that are safer than permanent access keys.

What is an Instance Profile?

An Instance Profile is a container that allows an IAM Role to be attached to an EC2 instance.

What is IRSA?

IAM Roles for Service Accounts (IRSA) allow Kubernetes Pods running on Amazon EKS to securely access AWS services without sharing node credentials.

Summary

In this article, we explored IAM Roles and Policies for Spring Boot applications.

We covered:

  • IAM fundamentals
  • Users
  • Groups
  • Roles
  • Policies
  • Least privilege
  • STS
  • EC2 Instance Profiles
  • ECS Task Roles
  • EKS IRSA
  • AWS SDK integration
  • Security best practices
  • Production architecture

Using IAM Roles instead of hardcoded credentials is one of the most important AWS security best practices. Combined with STS, CloudTrail, and least privilege policies, IAM provides a secure foundation for enterprise Spring Boot applications.

Loading likes...

Comments

Share a question, correction, or practical insight about this article.

Loading approved comments...