[jira] [Commented] (NIFI-7497) AWS Credentials for Assume Role need to be able to configure STS Endpoint

Mon, 08 Jun 2020 08:34:12 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17128387#comment-17128387
 ] 

Chris Durham commented on NIFI-7497:
------------------------------------

The final resolution of this needs to ensure that there is the ability to have 
the STSEndpoint independent of the region. Software such as Ceph, which 
provides for a private S3 storage system, implements AWS iam and sts for roles. 
the sts endpoint in this scenario will be a private name, independent of any 
AWS region name.

> AWS Credentials for Assume Role need to be able to configure STS Endpoint
> -------------------------------------------------------------------------
>
>                 Key: NIFI-7497
>                 URL: https://issues.apache.org/jira/browse/NIFI-7497
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Neptune Salt
>            Priority: Minor
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> As a user of NiFi, when I want to enable cross account access in certain 
> environments, I want to be able to override the STS endpoint for the security 
> token service.
> This arises from the limitations here: 
> [https://github.com/aws/aws-sdk-java/blob/b1b1a21fa46f8948fcf39e8b3a76f6ebe00e14b9/aws-java-sdk-sts/src/main/java/com/amazonaws/auth/STSAssumeRoleSessionCredentialsProvider.java#L291]
> The relevant comment being:
>  
> {code:java}
> /**
>      * Sets the AWS Security Token Service (STS) endpoint where session 
> credentials are retrieved
>      * from. <p></p> The default AWS Security Token Service (STS) endpoint 
> ("sts.amazonaws.com")
>      * works for all accounts that are not for China (Beijing) region or 
> GovCloud. You only need to
>      * change the endpoint to "sts.cn-north-1.amazonaws.com.cn" when you are 
> requesting session
>      * credentials for services in China(Beijing) region or 
> "sts.us-gov-west-1.amazonaws.com" for
>      * GovCloud. <p></p> Setting this invalidates existing session 
> credentials.
>      *
>      * @deprecated This method may be removed in a future major version. 
> Create multiple providers
>      * if you need to work with multiple STS endpoints.
>      */
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to