[
https://issues.apache.org/jira/browse/NIFI-2799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15555991#comment-15555991
]
ASF GitHub Bot commented on NIFI-2799:
--------------------------------------
Github user ktseytlin commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1112#discussion_r82451576
--- Diff:
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
---
@@ -113,16 +134,34 @@ public AWSCredentialsProvider
getDerivedCredentialsProvider(Map<PropertyDescript
rawMaxSessionTime = (rawMaxSessionTime != null) ?
rawMaxSessionTime : MAX_SESSION_TIME.getDefaultValue();
final Integer maxSessionTime =
Integer.parseInt(rawMaxSessionTime.trim());
final String assumeRoleExternalId =
properties.get(ASSUME_ROLE_EXTERNAL_ID);
+ STSAssumeRoleSessionCredentialsProvider.Builder builder;
+
+ // If proxy variables are set, then create Client Configuration
with those values
+ if (proxyVariablesValidForAssumeRole(properties)) {
+ final String assumeRoleProxyHost =
properties.get(ASSUME_ROLE_PROXY_HOST);
+ final Integer assumeRoleProxyPort =
Integer.parseInt(properties.get(ASSUME_ROLE_PROXY_PORT));
+ ClientConfiguration config = new ClientConfiguration();
+ config.withProxyHost(assumeRoleProxyHost);
+ config.withProxyPort(assumeRoleProxyPort);
+ AWSSecurityTokenService securityTokenService = new
AWSSecurityTokenServiceClient(config);
--- End diff --
I also just ran the contribution mvn contrib check that you asked for with
this fix, and it returns this error:
```
java.lang.IllegalArgumentException: If a custom STS client is set you must
not set any other client related fields (ClientConfiguration, AWSCredentials,
Endpoint, etc
at
com.amazonaws.util.ValidationUtils.assertAllAreNull(ValidationUtils.java:49)
at
com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.<init>(STSAssumeRoleSessionCredentialsProvider.java:187)
at
com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.<init>(STSAssumeRoleSessionCredentialsProvider.java:34)
at
com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider$Builder.build(STSAssumeRoleSessionCredentialsProvider.java:436)
```
I wanted to refactor it like that, but again, since I am not able to test
in my environment the previous work I played it on the safe side.
> AWS Credentials for Assume Role Need Proxy
> ------------------------------------------
>
> Key: NIFI-2799
> URL: https://issues.apache.org/jira/browse/NIFI-2799
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.0.0
> Reporter: Keren Tseytlin
> Assignee: James Wing
> Priority: Minor
> Fix For: 1.1.0
>
>
> As a user of Nifi, when I want to enable cross account fetching of S3 objects
> I need the proxy variables to be set in order to generate temporary AWS
> tokens for STS:AssumeRole.
> Within some enterprise environments, it is necessary to set the proxy
> variables prior to running AssumeRole methods. Without this being set, the
> machine in VPC A times out on generating temporary keys and is unable to
> assume a role as a machine in VPC B.
> This ticket arose from this conversation:
> http://apache-nifi-developer-list.39713.n7.nabble.com/Nifi-Cross-Account-Download-With-A-Profile-Flag-td13232.html#a13252
> Goal: There are files stored in an S3 bucket in VPC B. My Nifi machines are
> in VPC A. I want Nifi to be able to get those files from VPC B. VPC A and VPC
> B need to be communicating in the FetchS3Object component.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
