[
https://issues.apache.org/jira/browse/FLINK-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15750759#comment-15750759
]
ASF GitHub Bot commented on FLINK-4611:
---------------------------------------
Github user tzulitai commented on the issue:
https://github.com/apache/flink/pull/2914
I've tested the `AUTO` config behaviour, and it works as expected in EMR /
EC2 environments, so the Kinesis API part should be working fine.
Let me summarize the new behaviour after the proposed changes (@tony810430
please correct me if I've got anything wrong):
- If no credential provider type is provided, `AUTO` is used.
- If the user has provided `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID`,
regardless of the credential provider type provided (i.e. even if it's set to
`AUTO` / `SYS_PROPS` etc.), the `BASIC` type will be used.
The second behaviour seems a little odd to me; in general, I think the
`AWS_CREDENTIALS_PROVIDER` setting should have higher precedence.
Also, logic between `validateAwsConfiguration` and
`AWSUtils.getCredentialsProvider()` seems a bit too "coupled" now with the
proposed changes. I think we should probably fallback the value of
`AWS_CREDENTIALS_PROVIDER` for the user in `validateAwsConfiguration`. What I
have in mind for `validateAwsConfiguration`:
- if the user hasn't set any value for `AWS_CREDENTIALS_PROVIDER`, we set
it for them - if access key and secret access key exists, set `BASIC`,
otherwise just use `AUTO` (the default).
- if the user has a value for `AWS_CREDENTIALS_PROVIDER`, just leave it as
is.
In `AWS_CREDENTIALS_PROVIDER`, we can then just start of by reading the
`AWS_CREDENTIALS_PROVIDER` property and instantiate credentials accordingly.
@tony810430 what do you think?
> Make "AUTO" credential provider as default for Kinesis Connector
> ----------------------------------------------------------------
>
> Key: FLINK-4611
> URL: https://issues.apache.org/jira/browse/FLINK-4611
> Project: Flink
> Issue Type: Improvement
> Components: Kinesis Connector
> Reporter: Tzu-Li (Gordon) Tai
> Assignee: Wei-Che Wei
> Fix For: 1.2.0
>
>
> Right now, the Kinesis Consumer / Producer by default directly expects the
> access key id and secret access key to be given in the config properties.
> This isn't a good practice for accessing AWS services, and usually Kinesis
> users would most likely be running their Flink application in AWS instances
> that have embedded credentials that can be access via the default credential
> provider chain. Therefore, it makes sense to change the default
> {{AWS_CREDENTIALS_PROVIDER}} to {{AUTO}} instead of {{BASIC}}.
> To avoid breaking user code, we only use directly supplied AWS credentials if
> both access key and secret key is given through {{AWS_ACCESS_KEY}} and
> {{AWS_SECRET_KEY}}. Otherwise, the default credential provider chain is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
