[
https://issues.apache.org/jira/browse/NIFI-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14949828#comment-14949828
]
Michael Kobit commented on NIFI-786:
------------------------------------
[~markap14] Hey Mark, my initial idea was that the ControllerService}} would
return an
[AWSCredentialsProvider|http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/AWSCredentialsProvider.html]
not an
[|http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/AWSCredentials.html].
The {{*Provider}} can be used for supplying credentials that don't change, the
static access and secret key use case now, but also allows for complicated
implementations, like the ones that integrate with key management systems (like
via [STS|http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html]). I
am fairly certain it is supported by all of the SDK vended
{{Amazon*ServiceClient}}
For the use case of typing them in the UI, it would be supported by the, what I
called above, {{StaticAwsCredentialsProviderService}} {{ControllerService}}.
Users would type in the access/secret keys like they can do now, although they
would have to set it up at the controller service level rather than at a
processor level. This way it could also be reused across multiple AWS
processors.
For the properties file use case, it would be supported by the, what I called
above, {{PropertiesFileAwsCredentialsProviderService}} {{ControllerService}}.
This implementation I would see using the AWS SDK
[PropertiesFileCredentialsProvider|http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/PropertiesFileCredentialsProvider.html].
It covers the file based use case, but it also (currently) allows for
credential rotation in the file since it gets loaded every time.
One of the main use cases I was thinking of is when running on AWS and you are
["Using IAM Roles to Grant Access to AWS Resources on Amazon
EC2"|http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html].
Basically distributing the credentials to the EC2 instances themselves rather
than managing them in your application. The keys are temporary and AWS
automatically rotates them, so using the AWS Java SDK
{{AWSCredentialsProvider}} implementation is preferred.
A couple other possible use cases that could be supported fairly easily:
1. environment variables
2. Java system properties
And then there is the option of allowing consumers to define their own
{{ControllerService}} for retrieving credentials.
> Add other supporting options for configuring credentials for AWS processors
> ---------------------------------------------------------------------------
>
> Key: NIFI-786
> URL: https://issues.apache.org/jira/browse/NIFI-786
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 0.3.0
> Reporter: Michael Kobit
> Priority: Minor
>
> I was looking at https://issues.apache.org/jira/browse/NIFI-770 and looked at
> how the AWS processors credentials are currently configured. As a NFM you
> have a few options with the properties right now:
> 1) set basic, static credentials
> 2) set a credentials properties filepath
> 3) set neither, use anonymous credentials
> I think it would be better if each AWS could rely on a ControllerService that
> returns `AWSCredentialsProvider` (instead of `AWSCredentials`) that gives
> all of the possible implementations that could be used, rather than relying
> on a static credentials. *Provider implementations can be refreshed and can
> also other more complicated implementations, but already have built in
> support for the Static and Properties file that are provided by NiFi today.
> My thinking is that the controller service would be something like
> public interface AwsCredentialsProviderService extends ControllerService {
> AWSCredentialsProvider getCredentialsProvider();
> }
> and you could have `StaticAwsCredentialsProviderService`,
> `PropertiesFileAwsCredentialsProviderService`, and
> `AnonymousAwsCredentialsProviderService` to provide the functionality that is
> supported right now. Additional credential providers could be added later, as
> there a bunch more AWS provided versions that I think could fit in well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
