diff --git a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
index 6e93d4a4c4d..10843e8de08 100644
--- a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
+++ b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
@@ -24,6 +24,7 @@ import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
+import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
public class AWSCredentialsUtils
@@ -35,6 +36,7 @@ public class AWSCredentialsUtils
new LazyFileSessionCredentialsProvider(config),
new EnvironmentVariableCredentialsProvider(),
new SystemPropertiesCredentialsProvider(),
+ WebIdentityTokenCredentialsProvider.create(),
new ProfileCredentialsProvider(),
new EC2ContainerCredentialsProviderWrapper(),
InstanceProfileCredentialsProvider.getInstance());
diff --git a/docs/development/extensions-core/kinesis-ingestion.md b/docs/development/extensions-core/kinesis-ingestion.md
index 36b89e7b81d..620f1f9a5d1 100644
--- a/docs/development/extensions-core/kinesis-ingestion.md
+++ b/docs/development/extensions-core/kinesis-ingestion.md
@@ -236,7 +236,7 @@ To authenticate with AWS, you must provide your AWS access key and AWS secret ke
-Ddruid.kinesis.accessKey=123 -Ddruid.kinesis.secretKey=456
```
The AWS access key ID and secret access key are used for Kinesis API requests. If this is not provided, the service will
-look for credentials set in environment variables, in the default profile configuration file, and from the EC2 instance
+look for credentials set in environment variables, via [Web Identity Token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html), in the default profile configuration file, and from the EC2 instance
profile provider (in this order).
### Getting Supervisor Status Report
diff --git a/extensions-core/s3-extensions/pom.xml b/extensions-core/s3-extensions/pom.xml
index 755728316ad..30c63f672bb 100644
--- a/extensions-core/s3-extensions/pom.xml
+++ b/extensions-core/s3-extensions/pom.xml
@@ -112,6 +112,11 @@
aws-java-sdk-s3
provided
+
+ com.amazonaws
+ aws-java-sdk-sts
+ provided
+
org.apache.druid
diff --git a/licenses.yaml b/licenses.yaml
index 2759bf29618..219256e4fc1 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -151,7 +151,7 @@ name: AWS RDS SDK for Java
license_category: source
module: extensions/druid-aws-rds-extensions
license_name: Apache License version 2.0
-version: 1.11.199
+version: 1.11.884
libraries:
- com.amazonaws: aws-java-sdk-rds
@@ -3583,10 +3583,11 @@ name: AWS SDK for Java
license_category: binary
module: extensions/druid-kinesis-indexing-service
license_name: Apache License version 2.0
-version: 1.11.199
+version: 1.11.884
libraries:
- com.amazonaws: aws-java-sdk-kinesis
- com.amazonaws: aws-java-sdk-sts
+ - com.amazonaws: jmespath-java
---
diff --git a/pom.xml b/pom.xml
index 2101f8394c8..97e5c39b5ea 100644
--- a/pom.xml
+++ b/pom.xml
@@ -110,7 +110,7 @@
2.8.5
3.2.4
2.0.2
- 1.11.199
+ 1.11.884
2.8.0
0.8.5
org/apache/druid/query/TruncatedResponseContextException.class
-
+
+ org/apache/druid/common/aws/AWSCredentials*
+