polyzos commented on PR #1245: URL: https://github.com/apache/fluss/pull/1245#issuecomment-3589949789
There might be more, but for me it boils down to two things... Currently when configuring Fluss tiering to work with minio there is this exception: ``` org.apache.fluss.exception.SecurityTokenException: Failed to get file access security token: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: c3cb1c0c-57fc-4386-87ac-436622b40f21; Proxy: null) taskmanager-1 | 2025-11-27 07:08:05,066 WARN org.apache.fluss.client.token.DefaultSecurityTokenManager [] - Failed to update tokens, will try again in 3600000 ms taskmanager-1 | org.apache.fluss.exception.FlussRuntimeException: org.apache.fluss.exception.SecurityTokenException: Failed to get file access security token: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: c3cb1c0c-57fc-4386-87ac-436622b40f21; Proxy: null) taskmanager-1 ``` So my understanding is that when you run against MinIO, you typically use static S3 credentials and a custom endpoint. That works fine with Hadoop S3A if you set the right configs. Fluss’s `DefaultSecurityTokenManager` still tries to obtain file-access tokens from the server. Those tokens are AWS STS–based. If your environment isn’t wired to AWS STS (as with local MinIO), calls fail. In the S3 filesystem plugin (S3FileSystemPlugin#setCredentialProvider), if `fs.s3a.access.key` is present, Fluss does NOT inject the STS-based credential provider. That part is good. However, the client still creates and starts DefaultSecurityTokenManager when the remote file downloader is used `FlussConnection#getOrCreateRemoteFileDownloader`, which forces the token flow and can fail before you even touch S3.. So I think @michaelkoepf solution should work.. If someone has time to try out different scenarios and see the behavior with some stronger understanding than me, it would be amazing. **The second** thing to test and figure out is this: https://github.com/apache/fluss/discussions/1911#discussioncomment-15043102 Michael also added a comment there. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
