[
https://issues.apache.org/jira/browse/HADOOP-13389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385122#comment-15385122
]
Steven K. Wong edited comment on HADOOP-13389 at 7/20/16 1:10 AM:
------------------------------------------------------------------
I have auth-keys.xml (that only configures test.fs.s3a.name), because I intend
to run the S3A tests. All S3A tests -- except
TestS3ATemporaryCredentials.testSTS -- succeed for me.
The InstanceProfileCredentialsProvider object on line 93 is unhelpful because
its temporary credential is not compatible with the getSessionToken call on
line 105 (as explained above). Hence, at a minimum I think
InstanceProfileCredentialsProvider should be removed from the credentials chain
in the test case. But that doesn't fix the test case failure. Perhaps testSTS
should explicitly check for the absence of credentials in the config and skip
itself (like what line 83 does)?
was (Author: slider):
I have auth-keys.xml (that only configures test.fs.s3a.name), because I intend
to run the S3A tests. All S3A tests -- except
TestS3ATemporaryCredentials.testSTS -- succeed for me.
The InstanceProfileCredentialsProvider object on line 93 is unhelpful because
its temporary credential is not compatible with the getSessionToken call on
line 105 (as explained above). Hence, at a minimum I think
InstanceProfileCredentialsProvider should be removed from the credentials chain
in the test case. But that doesn't fix the test case failure. Perhaps testSTS
should explicitly check for the absence of credentials in the config and skip
itself?
> TestS3ATemporaryCredentials.testSTS error
> -----------------------------------------
>
> Key: HADOOP-13389
> URL: https://issues.apache.org/jira/browse/HADOOP-13389
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/s3
> Reporter: Steven K. Wong
>
> {{org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS}} throws a 403
> AccessDenied when run without any AWS credentials (access key and secret key)
> in the config.
> {noformat}
> com.amazonaws.AmazonServiceException: Cannot call GetSessionToken with
> session credentials (Service: AWSSecurityTokenService; Status Code: 403;
> Error Code: AccessDenied; Request ID: XXXXX)
> at
> com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
> at
> com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
> at
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
> at
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1106)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.getSessionToken(AWSSecurityTokenServiceClient.java:355)
> at
> org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS(TestS3ATemporaryCredentials.java:105)
> {noformat}
> It fails because the InstanceProfileCredentialsProvider in the credentials
> chain (on line 91) is used, but an instance profile always provides a
> temporary credential and GetSessionToken requires a long-term (not temporary)
> credential.
> Suggestion on how to fix this test case?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
