[jira] [Commented] (HADOOP-16806) AWS AssumedRoleCredentialProvider needs ExternalId add

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-16806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583748#comment-17583748
 ] 

ASF GitHub Bot commented on HADOOP-16806:
-----------------------------------------

dannycjones commented on PR #4753:
URL: https://github.com/apache/hadoop/pull/4753#issuecomment-1224331509

   Unfortunately, the errors can be a bit vague for S3 HeadObject (used by 
getFileStatus). There was a similar issue when the credentials had expired in 
HADOOP-18353.
   
   ```
   ...
   Authorization: AWS4-HMAC-SHA256 
Credential=<redacted>/20220823/us-east-1/s3/aws4_request
   ...
   ```
   
   The signature is signed for us-east-1, but the `landsat-pds` bucket is in 
us-west-2. Do you have `fs.s3a.endpoint.region` set? If so, try adding the 
following to your _auth-keys.xml_:
   
   ```
   <property>
     <name>fs.s3a.bucket.landsat-pds.endpoint.region</name>
     <value>us-west-2</value>
   </property> 
   ```




> AWS AssumedRoleCredentialProvider needs ExternalId add
> ------------------------------------------------------
>
>                 Key: HADOOP-16806
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16806
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.2.1
>            Reporter: Jon Hartlaub
>            Priority: Minor
>              Labels: pull-request-available
>
> AWS has added a security feature to the assume-role function in the form of 
> the "ExternalId" key in the AWS Java SDK 
> {{STSAssumeRoleSessionCredentialsProvider.Builder}} class.  To support this 
> security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a 
> patch to include this value from the configuration as well as an added 
> Constant to the {{org.apache.hadoop.fs.s3a.Constants}} file.
> The ExternalId is not a required security feature, it is an augmentation of 
> the current assume role configuration. 
> Proposed: 
>  * Get the assume-role ExternalId token from the configuration for the 
> configuration key {{fs.s3a.assumed.role.externalid}}
>  * Use the configured ExternalId value in the 
> {{STSAssumeRoleSessionCredentialsProvider.Builder}}   
> e.g.
> {{if (StringUtils.isNotEmpty(externalId)) {}}
>  {{    builder.withExternalId(externalId); // include the token for 
> cross-account assume role}}
>  {{}}}
>  Tests:
>  * +Unit test+ which verifies the ExternalId state value of the 
> {{AssumedRoleCredentialProvider}} is consistent with the configured value - 
> either empty or populated
>  * Question: not sure about how to write the +integration test+ for this 
> feature.  We have an account configured for this use-case that verifies this 
> feature but I don't have much context on the Hadoop project AWS S3 
> integration tests, perhaps a pointer could help.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org