[
https://issues.apache.org/jira/browse/HADOOP-13389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385333#comment-15385333
]
Chris Nauroth commented on HADOOP-13389:
----------------------------------------
[~slider], thank you for the further details. I think I understand now. It
sounds like you are trying to run the S3A test suite without an AWS access key
ID and secret access key, instead relying on instance profile credentials
provided in an EC2 VM.
The simplest immediate workaround for you is likely to set the following in
your auth-keys.xml file:
{code}
<property>
<name>test.fs.s3a.sts.enabled</name>
<value>false</value>
</property>
{code}
However, I also agree that if the instance profile credentials are never
suitable for this test case, then we would do well to remove
{{InstanceProfileCredentialsProvider}} from the test and add explicit detection
to {{skip}} if there is no access key ID and secret access key.
{{S3AUtils#getAWSAccessKeys}} and {{S3xLoginHelper}} class are likely to be
helpful for that logic.
> TestS3ATemporaryCredentials.testSTS error
> -----------------------------------------
>
> Key: HADOOP-13389
> URL: https://issues.apache.org/jira/browse/HADOOP-13389
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/s3
> Reporter: Steven K. Wong
>
> {{org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS}} throws a 403
> AccessDenied when run without any AWS credentials (access key and secret key)
> in the config.
> {noformat}
> com.amazonaws.AmazonServiceException: Cannot call GetSessionToken with
> session credentials (Service: AWSSecurityTokenService; Status Code: 403;
> Error Code: AccessDenied; Request ID: XXXXX)
> at
> com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
> at
> com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
> at
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
> at
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1106)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.getSessionToken(AWSSecurityTokenServiceClient.java:355)
> at
> org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS(TestS3ATemporaryCredentials.java:105)
> {noformat}
> It fails because the InstanceProfileCredentialsProvider in the credentials
> chain (on line 91) is used, but an instance profile always provides a
> temporary credential and GetSessionToken requires a long-term (not temporary)
> credential.
> Suggestion on how to fix this test case?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
