Skip to content

aws/token-generator-for-aws-external-anthropic-java

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Token Generator for AWS External Anthropic (Java)

A lightweight utility library that generates short-term bearer tokens for AWS External Anthropic API authentication using SigV4 presigned URLs.

Installation

Maven

<dependency>
    <groupId>software.amazon.awsexternalanthropic</groupId>
    <artifactId>token-generator-for-aws-external-anthropic</artifactId>
    <version>1.0.0</version>
</dependency>

Gradle

implementation 'software.amazon.awsexternalanthropic:token-generator-for-aws-external-anthropic:1.0.0'

Quick Start

Token duration can be customized (1 second to 12 hours). The actual token lifetime will be: min(specified duration, credentials expiry, 12 hours). Default is 12 hours.

Usage 1 — Using Default Credentials and Region

Credentials and region are resolved from the default provider chains.

import software.amazon.awsexternalanthropic.token.TokenGenerator;

TokenGenerator generator = TokenGenerator.create();
String token = generator.getToken();

Usage 2 — Using Custom Configuration

This example uses STS Assume Role. You can use any supported credentials provider.

import software.amazon.awsexternalanthropic.token.TokenGenerator;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.regions.Region;

import java.time.Duration;

AwsCredentialsProvider assumeRoleProvider = StsAssumeRoleCredentialsProvider.builder()
        .refreshRequest(AssumeRoleRequest.builder()
                .roleArn("arn:aws:iam::123456789012:role/MyRole")
                .roleSessionName("token-session")
                .durationSeconds(3600)
                .build())
        .build();

TokenGenerator generator = TokenGenerator.builder()
        .region(Region.US_EAST_1)
        .credentialsProvider(assumeRoleProvider)
        .expiry(Duration.ofHours(1))
        .build();

String token = generator.getToken();

Usage 3 — Using Static One-Shot

Pass credentials, region, and expiry directly. No instance needed.

import software.amazon.awsexternalanthropic.token.TokenGenerator;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;

import java.time.Duration;

String token = TokenGenerator.getToken(
        DefaultCredentialsProvider.create().resolveCredentials(),
        Region.US_WEST_2,
        Duration.ofHours(6));

Token Format

The generated token has the format:

aws-external-anthropic-api-key-<base64-encoded-payload>

The payload is a Base64-encoded SigV4 presigned URL scoped to the aws-external-anthropic service. The token can be decoded for debugging purposes but should be treated as an opaque string in production.

Requirements

  • Java 8+
  • AWS SDK for Java v2 (2.25.28+)

Security Considerations

  • Token Expiration: Tokens are short-lived with a maximum lifetime of 12 hours. The actual expiry is min(specified duration, credentials expiry, 12 hours). Use the shortest practical duration for your use case.
  • Secure Storage: Do not log or store tokens in plain text. Treat them as sensitive credentials.
  • No Embedded Credentials: No long-term credentials are embedded in the token. The token contains a SigV4 presigned URL, not the signing keys themselves.
  • Credential Management: Use IAM roles or temporary credentials instead of long-term access keys where possible.
  • Network Security: Always transmit tokens over HTTPS.
  • Least Privilege: Scope IAM permissions to the minimum required for your use case.
  • Region Scoping: Tokens are scoped to a specific AWS region and cannot be used across regions.

Building from Source

git clone https://github.com/aws/token-generator-for-aws-external-anthropic-java.git
cd token-generator-for-aws-external-anthropic-java

# Build
mvn clean compile

# Run tests
mvn test

# Create JAR
mvn package -Dgpg.skip=true

Contributing

See CONTRIBUTING for more information.

Development Setup

  1. Prerequisites: Java 8+, Maven 3.6+
  2. Clone: git clone https://github.com/aws/token-generator-for-aws-external-anthropic-java.git
  3. Build: mvn clean compile
  4. Test: mvn test

License

This project is licensed under the Apache License, Version 2.0. See the LICENSE file for details.

Changelog

See CHANGELOG for release history.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages