[
https://issues.apache.org/jira/browse/FLINK-34490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eddie Ramirez updated FLINK-34490:
----------------------------------
Description:
When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does not
correctly follow the chain of credentials.
*Expected Result*
`{{{}flink-connector-kinesis{}}}` should follow the `{{{}source_profile{}}}`
for each respective profile in `{{{}~/.aws/config{}}}` to ultimately determine
credentials.
*Observed Result*
`{{{}flink-connector-kinesis{}}}` only follows the first matching
`{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors
out because there is no credentials for that profile.
{code:java}
org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to
load credentials into profile [profile intermediate-role]: AWS Access Key ID is
not specified
{code}
*Configuration*
connector config
{code:java}
aws.credentials.provider: PROFILE
aws.credentials.profile.name: flink-access-role{code}
aws `{{{}~/.aws/config{}}}` file
{code:java}
[profile flink-access-role]
role_arn = arn:aws:iam::xxxxxxxxx:role/flink-access-role
source_profile = intermediate-role
[profile intermediate-role]
role_arn = arn:aws:iam::xxxxxxxxx:role/intermediate-role
source_profile = aws-sso-role
[profile aws-sso-role]
sso_session = idc
sso_role_name = xxxxx
sso_account_id = xxxxx
credential_process = aws configure export-credentials --profile=aws-sso-role
[sso-session idc]
sso_start_url = xxxxx
sso_region = xxxxx
sso_registration_scopes = sso:account:access
{code}
was:
When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does not
correctly follow the chain of credentials.
*Expected Result*
`{{{}flink-connector-kinesis{}}}` should follow the `{{{}source_profile{}}}`
for each respective profile in `{{{}~/.aws/config{}}}` to ultimately determine
credentials.
*Observed Result*
`{{{}flink-connector-kinesis{}}}` only follows the first matching
`{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors
out because there is no credentials for that profile.
{code:java}
org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to
load credentials into profile [profile intermediate-role]: AWS Access Key ID is
not specified
{code}
*Configuration*
connector config
{code:java}
aws.credentials.provider: PROFILE
aws.credentials.profile.name: flink-access-role{code}
aws `{{{}~/.aws/config{}}}` file
{code:java}
[profile flink-access-role]
role_arn = arn:aws:iam::xxxxxxxxx:role/flink-access-role
source_profile = intermediate-role
[profile intermediate-role]
role_arn = arn:aws:iam::xxxxxxxxx:role/intermediate-role
source_profile = aws-sso-role
[profile aws-sso-role]
sso_session = idc
sso_role_name = xxxxx
sso_account_id = xxxxx
credential_process = aws configure export-credentials --profile=aws-sso-role
[sso-session idc]
sso_start_url = xxxxx
sso_region = xxxxx
sso_registration_scopes = sso:account:access
{code}
> flink-connector-kinesis not correctly supporting credential chaining
> --------------------------------------------------------------------
>
> Key: FLINK-34490
> URL: https://issues.apache.org/jira/browse/FLINK-34490
> Project: Flink
> Issue Type: Bug
> Components: Connectors / Kinesis
> Affects Versions: aws-connector-4.2.0, 1.17.2
> Reporter: Eddie Ramirez
> Priority: Major
> Attachments: Flink Credential Chaining.png
>
>
> When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does
> not correctly follow the chain of credentials.
>
> *Expected Result*
> `{{{}flink-connector-kinesis{}}}` should follow the
> `{{{}source_profile{}}}` for each respective profile in
> `{{{}~/.aws/config{}}}` to ultimately determine credentials.
>
> *Observed Result*
> `{{{}flink-connector-kinesis{}}}` only follows the first matching
> `{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors
> out because there is no credentials for that profile.
> {code:java}
> org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to
> load credentials into profile [profile intermediate-role]: AWS Access Key ID
> is not specified
> {code}
>
> *Configuration*
> connector config
> {code:java}
> aws.credentials.provider: PROFILE
> aws.credentials.profile.name: flink-access-role{code}
>
> aws `{{{}~/.aws/config{}}}` file
> {code:java}
> [profile flink-access-role]
> role_arn = arn:aws:iam::xxxxxxxxx:role/flink-access-role
> source_profile = intermediate-role
> [profile intermediate-role]
> role_arn = arn:aws:iam::xxxxxxxxx:role/intermediate-role
> source_profile = aws-sso-role
> [profile aws-sso-role]
> sso_session = idc
> sso_role_name = xxxxx
> sso_account_id = xxxxx
> credential_process = aws configure export-credentials --profile=aws-sso-role
> [sso-session idc]
> sso_start_url = xxxxx
> sso_region = xxxxx
> sso_registration_scopes = sso:account:access
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
