[jira] [Commented] (FLINK-34490) flink-connector-kinesis not correctly supporting credential chaining

Fri, 23 Feb 2024 13:12:55 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-34490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17820207#comment-17820207
 ] 

Aleksandr Pilipenko commented on FLINK-34490:
---------------------------------------------

Currently, AWS connectors don't support extracting credentials from 
configuration files.

As described in the [connector 
documentation:|https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/connectors/datastream/kinesis/#configuring-access-to-kinesis-with-iam]
{quote}PROFILE - Use AWS credentials profile file to create the AWS credentials.
{quote}

> flink-connector-kinesis not correctly supporting credential chaining
> --------------------------------------------------------------------
>
>                 Key: FLINK-34490
>                 URL: https://issues.apache.org/jira/browse/FLINK-34490
>             Project: Flink
>          Issue Type: Bug
>          Components: Connectors / Kinesis
>    Affects Versions: aws-connector-4.2.0, 1.17.2
>            Reporter: Eddie Ramirez
>            Assignee: Aleksandr Pilipenko
>            Priority: Major
>         Attachments: Flink Credential Chaining.png
>
>
> When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does 
> not correctly follow the chain of credentials.
>  
> *Expected Result*
>  `{{{}flink-connector-kinesis{}}}`  should follow the 
> `{{{}source_profile{}}}` for each respective profile in 
> `{{{}~/.aws/config{}}}` to ultimately determine credentials.
>  
> *Observed Result*
>  `{{{}flink-connector-kinesis{}}}` only follows the first matching 
> `{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors 
> out because there is no credentials for that profile.
> {code:java}
> org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to 
> load credentials into profile [profile intermediate-role]: AWS Access Key ID 
> is not specified
> {code}
>  
> *Configuration*
> connector config
> {code:java}
> aws.credentials.provider: PROFILE
> aws.credentials.profile.name: flink-access-role{code}
>  
> aws `{{{}~/.aws/config{}}}` file
> {code:java}
> [profile flink-access-role]
> role_arn = arn:aws:iam::xxxxxxxxx:role/flink-access-role
> source_profile = intermediate-role
> [profile intermediate-role]
> role_arn = arn:aws:iam::xxxxxxxxx:role/intermediate-role
> source_profile = aws-sso-role
> [profile aws-sso-role]
> sso_session = idc
> sso_role_name = xxxxx
> sso_account_id = xxxxx
> credential_process = aws configure export-credentials --profile=aws-sso-role
> [sso-session idc]
> sso_start_url = xxxxx
> sso_region = xxxxx
> sso_registration_scopes = sso:account:access
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to