[
https://issues.apache.org/jira/browse/NIFI-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15555967#comment-15555967
]
ASF GitHub Bot commented on NIFI-2799:
--------------------------------------
Github user ktseytlin commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1112#discussion_r82450516
--- Diff:
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
---
@@ -113,16 +134,34 @@ public AWSCredentialsProvider
getDerivedCredentialsProvider(Map<PropertyDescript
rawMaxSessionTime = (rawMaxSessionTime != null) ?
rawMaxSessionTime : MAX_SESSION_TIME.getDefaultValue();
final Integer maxSessionTime =
Integer.parseInt(rawMaxSessionTime.trim());
final String assumeRoleExternalId =
properties.get(ASSUME_ROLE_EXTERNAL_ID);
+ STSAssumeRoleSessionCredentialsProvider.Builder builder;
+
+ // If proxy variables are set, then create Client Configuration
with those values
+ if (proxyVariablesValidForAssumeRole(properties)) {
+ final String assumeRoleProxyHost =
properties.get(ASSUME_ROLE_PROXY_HOST);
+ final Integer assumeRoleProxyPort =
Integer.parseInt(properties.get(ASSUME_ROLE_PROXY_PORT));
+ ClientConfiguration config = new ClientConfiguration();
+ config.withProxyHost(assumeRoleProxyHost);
+ config.withProxyPort(assumeRoleProxyPort);
+ AWSSecurityTokenService securityTokenService = new
AWSSecurityTokenServiceClient(config);
--- End diff --
The only change I made to a new build was to add
`.withLongLivedCredentialsProvider(primaryCredentialsProvider);`. I just built
it again, and now I get this error:
```
14:56:49 EDTERRORa07a8653-0157-1000-cc2a-541216293b68
AWSCredentialsProviderService[id=a07a8653-0157-1000-cc2a-541216293b68]
Failed to invoke @OnEnabled method due to java.lang.IllegalArgumentException:
**If a custom STS client is set you must not set any other client related
fields (ClientConfiguration, AWSCredentials, Endpoint, etc**
14:57:00 EDTERRORa0772af8-0157-1000-f3dd-9c8fb7f22bd7
FetchS3Object[id=a0772af8-0157-1000-f3dd-9c8fb7f22bd7]
FetchS3Object[id=a0772af8-0157-1000-f3dd-9c8fb7f22bd7] failed to invoke
@OnScheduled method due to java.lang.RuntimeException: Failed while executing
one of processor's OnScheduled task.; processor will not be scheduled to run
for 30 seconds: java.lang.RuntimeException: Failed while executing one of
processor's OnScheduled task.
```
See the part I surround in **, this here makes me believe that I cannot use
the LongLivedCredentialsProvider.
> AWS Credentials for Assume Role Need Proxy
> ------------------------------------------
>
> Key: NIFI-2799
> URL: https://issues.apache.org/jira/browse/NIFI-2799
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0
> Reporter: Keren Tseytlin
> Assignee: James Wing
> Priority: Minor
> Fix For: 1.1.0
>
>
> As a user of Nifi, when I want to enable cross account fetching of S3 objects
> I need the proxy variables to be set in order to generate temporary AWS
> tokens for STS:AssumeRole.
> Within some enterprise environments, it is necessary to set the proxy
> variables prior to running AssumeRole methods. Without this being set, the
> machine in VPC A times out on generating temporary keys and is unable to
> assume a role as a machine in VPC B.
> This ticket arose from this conversation:
> http://apache-nifi-developer-list.39713.n7.nabble.com/Nifi-Cross-Account-Download-With-A-Profile-Flag-td13232.html#a13252
> Goal: There are files stored in an S3 bucket in VPC B. My Nifi machines are
> in VPC A. I want Nifi to be able to get those files from VPC B. VPC A and VPC
> B need to be communicating in the FetchS3Object component.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
