pvillard31 opened a new pull request, #10294: URL: https://github.com/apache/nifi/pull/10294
# Summary NIFI-14956 - AWS Credentials Provider - Add support for STS AssumeRoleWithWebIdentity **Given the EOL of the SDK v1, I only implemented a version for the SDK v2** Steps to setup an AWS only test environment for testing this new feature. (note the commands are using `--profile perso`, change base on your needs) ### Setup variables ```` export REGION=eu-central-1 export POOL_NAME=nifi-oidc-demo export USERNAME=test export PASSWORD='NewStrongPassword#123' export DOMAIN_PREFIX=nifi-demo-pv export CONF_CLIENT_NAME=NiFi export CALLBACK_URL=http://localhost:53682/callback export LOGOUT_URL=http://localhost:53682/logout ```` ### Create Cognito User Pool ```` aws cognito-idp create-user-pool --region $REGION --pool-name "$POOL_NAME" --policies 'PasswordPolicy={MinimumLength=12,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true}' --auto-verified-attributes email --profile perso USER_POOL_ID=$(aws cognito-idp list-user-pools --region "$REGION" --max-results 60 --profile perso | jq -r --arg name "$POOL_NAME" '.UserPools[] | select(.Name==$name) | .Id') ```` ### Create Hosted UI Domain ```` aws cognito-idp create-user-pool-domain --region $REGION --user-pool-id $USER_POOL_ID --domain $DOMAIN_PREFIX --profile perso ```` ### Create Confidential App Client (with Auth Code Flow) ```` aws cognito-idp create-user-pool-client \ --region $REGION \ --user-pool-id $USER_POOL_ID \ --client-name "$CONF_CLIENT_NAME" \ --generate-secret \ --allowed-o-auth-flows-user-pool-client \ --allowed-o-auth-flows code \ --supported-identity-providers COGNITO \ --allowed-o-auth-scopes openid email profile \ --callback-urls "$CALLBACK_URL" \ --logout-urls "$LOGOUT_URL" \ --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \ --profile perso ```` From the output, capture the below: ```` export CONF_CLIENT_ID=... export CONF_CLIENT_SECRET=... ```` And: ```` export TOKEN_ENDPOINT=https://$DOMAIN_PREFIX.auth.$REGION.amazoncognito.com/oauth2/token export ISSUER=https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID ```` ### Create and confirm a user ```` aws cognito-idp admin-create-user --region $REGION --user-pool-id $USER_POOL_ID --username $USERNAME --temporary-password "$PASSWORD" --profile perso aws cognito-idp admin-set-user-password --region $REGION --user-pool-id $USER_POOL_ID --username $USERNAME --password "$PASSWORD" --permanent --profile perso ```` ### Get a Refresh Token for the user ```` SECRET_HASH=$(printf '%s' "$USERNAME""$CONF_CLIENT_ID" | openssl dgst -sha256 -hmac "$CONF_CLIENT_SECRET" -binary | base64) REFRESH_TOKEN=$(aws cognito-idp initiate-auth \ --region $REGION \ --client-id $CONF_CLIENT_ID \ --auth-flow USER_PASSWORD_AUTH \ --auth-parameters USERNAME=$USERNAME,PASSWORD="$PASSWORD",SECRET_HASH="$SECRET_HASH" \ --profile perso \ | jq -r .AuthenticationResult.RefreshToken) ```` ### Go to AWS IAM and Create Role - Create Role - Select Web Identity - Select your Cognito pool - Select the audience with the client ID of your app - Next - Select a policy, for example `AmazonSQSFullAccess` - Next - Give a name - Create Role Capture the Role ARN for the role you just created. Example: ```` export ROLE_ARN=arn:aws:iam::802551555016:role/nifi-test ```` ### Configure NiFi - `StandardOauth2AccessTokenProvider` - Authorization Server URL: `$TOKEN_ENDPOINT` - Client Authentication Strategy: Basic Authentication - Grant Type: Refresh Token - Refresh Token: `$REFRESH_TOKEN` - Client ID: `$CONF_CLIENT_ID` - Client Secret: `$CONF_CLIENT_SECRET` - Scope: (leave empty) - AWS Credentials Provider (Web Identity) - OAuth2 Access Token Provider: select provider above - Assume Role ARN: `$ROLE_ARN` - Assume Role Session Name: `nifi-oidc-test` - Assume Role STS Region: `$REGION` - Use an AWS SDK v2 processor (e.g., `PutSQS`) with this credentials provider and test ### Important notes - STS requires `aud`; using `refresh_token` (or code) yields an `id_token` with `aud` that matches the app client ID. - Only v2 implementation so cannot be used with S3 processors at the moment as they are still using SDK v1. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [ ] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [ ] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000` - [ ] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000` ### Pull Request Formatting - [ ] Pull Request based on current revision of the `main` branch - [ ] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [ ] Build completed using `./mvnw clean install -P contrib-check` - [ ] JDK 21 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
