[
https://issues.apache.org/jira/browse/HADOOP-13389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385122#comment-15385122
]
Steven K. Wong edited comment on HADOOP-13389 at 7/20/16 12:46 AM:
-------------------------------------------------------------------
I have auth-keys.xml (that only configures test.fs.s3a.name), because I intend
to run the S3A tests. All S3A tests -- except
TestS3ATemporaryCredentials.testSTS -- succeed for me.
The InstanceProfileCredentialsProvider object on line 93 is unhelpful because
its temporary credential is not compatible with the getSessionToken call on
line 105 (as explained above). Hence, at a minimum I think
InstanceProfileCredentialsProvider should be removed from the credentials chain
in the test case. But that doesn't fix the test case failure.
was (Author: slider):
I have auth-keys.xml (that only configures test.fs.s3a.name), because I intend
to run the S3A tests. All S3A tests -- except
TestS3ATemporaryCredentials.testSTS -- succeed for me.
The InstanceProfileCredentialsProvider object on line 93 is unhelpful because
its temporary credential is not compatible with the getSessionToken call on
line 105. Hence, at a minimum I think InstanceProfileCredentialsProvider should
be removed from the credentials chain in the test case. But that doesn't fix
the test case failure.
> TestS3ATemporaryCredentials.testSTS error
> -----------------------------------------
>
> Key: HADOOP-13389
> URL: https://issues.apache.org/jira/browse/HADOOP-13389
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/s3
> Reporter: Steven K. Wong
>
> {{org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS}} throws a 403
> AccessDenied when run without any AWS credentials (access key and secret key)
> in the config.
> {noformat}
> com.amazonaws.AmazonServiceException: Cannot call GetSessionToken with
> session credentials (Service: AWSSecurityTokenService; Status Code: 403;
> Error Code: AccessDenied; Request ID: XXXXX)
> at
> com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
> at
> com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
> at
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
> at
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1106)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.getSessionToken(AWSSecurityTokenServiceClient.java:355)
> at
> org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS(TestS3ATemporaryCredentials.java:105)
> {noformat}
> It fails because the InstanceProfileCredentialsProvider in the credentials
> chain (on line 91) is used, but an instance profile always provides a
> temporary credential and GetSessionToken requires a long-term (not temporary)
> credential.
> Suggestion on how to fix this test case?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
