[Bug]: Setting Authorization header with Cognito userpool session not works for Java S3AsyncClient

[nilyin]

Expected behavior

1. I get from my client application a valid UserPool session token from AWS Cognito service (successful)
2. I use the session token in my AWS Java 2 SDK client application to download the file from S3
3. S3 performs authentication by http header and will allow for download

Actual behavior

The AWS Java 2 SDK still requires AWS IAM user credentials for S3 download authentication.
A Cognito UserPool's user CAN NOT have IAM credentials (for example a self-signed AWS Amplify web service' user)
A user download using Javascript SDK works, but the same for java SDK client does not.

my sample code is given below:

        
        // Constructing customized header configuration
        ClientOverrideConfiguration overrideConfig = ClientOverrideConfiguration.builder()
                .putHeader("Authorization", accessToken)
                .build();


        // Creating an S3 client that is managed by the SDK
        S3AsyncClient s3AsyncClient = S3AsyncClient.builder()
                .httpClientBuilder(AwsCrtAsyncHttpClient.builder()
                        .maxConcurrency(100)
                )
                .region(Region.of(region))
                .overrideConfiguration(overrideConfig)
                .build();

Steps to reproduce

1. get AWS Cognito accessToken for current UserPool's user, then

2. run the code:



        ClientOverrideConfiguration overrideConfig = ClientOverrideConfiguration.builder()
                .putHeader("Authorization", accessToken)
                .build();


        // Creating an asynchronous S3 client, managed by the SDK
        S3AsyncClient s3AsyncClient = S3AsyncClient.builder()
                .httpClientBuilder(AwsCrtAsyncHttpClient.builder()
                        .maxConcurrency(100)
                )
                .region(Region.of(region))
                .overrideConfiguration(overrideConfig)
                .build();



3. You'll get the error as SDK still uses standard SystemPropertyCredentialsProvider() chain

Logs / stacktrace (if applicable)

2023-07-18 13:16:36,830 DEBUG [sof.ama.aws.cor.int.ExecutionInterceptorChain] (Quarkus Main Thread) Interceptor 'software.amazon.awssdk.services.s3.endpoints.internal.S3EndpointAuthSchemeInterceptor@5f84116c' modified the message with its modifyRequest method.
2023-07-18 13:16:36,837 DEBUG [sof.ama.aws.cor.int.ExecutionInterceptorChain] (Quarkus Main Thread) Interceptor 'software.amazon.awssdk.transfer.s3.internal.ApplyUserAgentInterceptor@59e6df92' modified the message with its modifyRequest method.
2023-07-18 13:16:36,849 DEBUG [sof.ama.aws.aut.cre.AwsCredentialsProviderChain] (Quarkus Main Thread) Unable to load credentials from SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).: software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).
        at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
        at software.amazon.awssdk.auth.credentials.internal.SystemSettingsCredentialsProvider.resolveCredentials(SystemSettingsCredentialsProvider.java:58)
        at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:96)
        at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
        at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
        at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:50)
        at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
        at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
        at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:123)
        at software.amazon.awssdk.awscore.client.handler.AwsAsyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsAsyncClientHandler.java:65)
        at software.amazon.awssdk.core.internal.handler.BaseAsyncClientHandler.lambda$execute$3(BaseAsyncClientHandler.java:118)
        at software.amazon.awssdk.core.internal.handler.BaseAsyncClientHandler.measureApiCallSuccess(BaseAsyncClientHandler.java:291)
        at software.amazon.awssdk.core.internal.handler.BaseAsyncClientHandler.execute(BaseAsyncClientHandler.java:91)
        at software.amazon.awssdk.awscore.client.handler.AwsAsyncClientHandler.execute(AwsAsyncClientHandler.java:59)
        at software.amazon.awssdk.services.s3.DefaultS3AsyncClient.getObject(DefaultS3AsyncClient.java:5078)
        at software.amazon.awssdk.transfer.s3.internal.GenericS3TransferManager.doDownloadFile(GenericS3TransferManager.java:261)
        at software.amazon.awssdk.transfer.s3.internal.GenericS3TransferManager.downloadFile(GenericS3TransferManager.java:243)

Which SDK were you using?

Java (v2)

Which OS were you using?

macOS

SDK version

2.20.74

OS version

macOS ventura