AWS S3: Rotated temporary AWS credentials are automatically used by Confluence

Overview

Confluence 8.1 introduced support for storing attachment data in Amazon S3. Confluence makes use of the AWS SDK for Java 2.x for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment using a predefined sequence, namely:

1. Java system properties
2. Environment variables
3. Web identity token from AWS Security Token Service
4. The shared credentials and config files (~/.aws/credentials)
5. Amazon ECS container credentials
6. Amazon EC2 instance profile credentials

Limitation

If you using options 1,2 or 4 with temporary credentials to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. 

Workaround

Do not use options 1,2 or 4 with temporary credentials to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail:

• Use IAM roles for applications and AWS services that require Amazon S3 access
• Using an IAM role to grant permissions to applications running on Amazon EC2 instances