dbuijs commented on PR #10294:
URL: https://github.com/apache/nifi/pull/10294#issuecomment-4034351139
I suspect this pull request may have changed the behaviour of the
AWSCredentialsProviderControllerService. In AWS with IRSA configured as per the
AWS documentation, I can run Nifi 2.6.0 and simply by configuring it to use
default credentials it just works and assumes the AWS Role.
In Nifi 2.7.0 and later (2.7.2, 2.8.0) the
AWSCredentialsProviderControllerService will validate with these settings, but
when I try to use it for ListS3Bucket, it fails validation with:
```
nifi-2-node.nifi-headless.nifi.svc.cluster.local:8443 - Failed to list
contents of bucket 'swipilot-onyxia': Unable to load credentials from any of
the providers in the chain
AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(),
EnvironmentVariableCredentialsProvider(),
WebIdentityTokenFileCredentialsProvider(),
ProfileCredentialsProvider(profileName=default,
profileFile=ProfileFile(sections=[])), ContainerCredentialsProvider(),
InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider():
Unable to load credentials from system settings. Access key must be specified
either via environment variable (AWS_ACCESS_KEY_ID) or system property
(aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load
credentials from system settings. Access key must be specified either via
environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).,
WebIdentityTokenFileCredentialsProvider(): Connection pool shut down,
ProfileCredentialsProvider(profileName=default,
profileFile=ProfileFile(sections=[])): Profile file contained no credentials
for profile 'default': ProfileFile(sections=[]),
ContainerCredentialsProvider(): Cannot fetch credentials from container -
neither AWS_CONTAINER_CREDENTIALS_FULL_URI or
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set.,
InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
```
Inside the AWS EKS pod, I have confirmed that this works:
```
export TOKEN=$(cat $AWS_WEB_IDENTITY_TOKEN_FILE)
aws sts assume-role-with-web-identity \
--role-arn $AWS_ROLE_ARN \
--role-session-name "nifi-debug" \
--web-identity-token $TOKEN
```
It is true that neither AWS_CONTAINER_CREDENTIALS_FULL_URI nor
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI are set, but this did not seem to be
necessary in Nifi 2.6.0 and earlier.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
