Eddie Ramirez created FLINK-34490:
-------------------------------------
Summary: flink-connector-kinesis not correctly supporting
credential chaining
Key: FLINK-34490
URL: https://issues.apache.org/jira/browse/FLINK-34490
Project: Flink
Issue Type: Bug
Components: Connectors / Kinesis
Affects Versions: 1.17.2, aws-connector-4.2.0
Reporter: Eddie Ramirez
Attachments: Flink Credential Chaining.png
When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does not
correctly follow the chain of credentials.
*Expected Result*
`{{{}flink-connector-kinesis{}}}` should follow the `{{{}source_profile{}}}`
for each respective profile in `{{{}~/.aws/config{}}}` to ultimately determine
credentials.
*Observed Result*
`{{{}flink-connector-kinesis{}}}` only follows the first matching
`{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors
out because there is no credentials for that profile.
{code:java}
org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to
load credentials into profile [profile intermediate-role]: AWS Access Key ID is
not specified
{code}
*Configuration*
connector config
{code:java}
aws.credentials.provider: PROFILE
aws.credentials.profile.name: flink-access-role{code}
aws `{{{}~/.aws/config{}}}` file
{code:java}
[profile flink-access-role]
role_arn = arn:aws:iam::xxxxxxxxx:role/flink-access-role
source_profile = intermediate-role
[profile intermediate-role]
role_arn = arn:aws:iam::xxxxxxxxx:role/intermediate-role
source_profile = aws-sso-role
[profile aws-sso-role]
sso_session = idc
sso_role_name = xxxxx
sso_account_id = xxxxx
credential_process = aws configure export-credentials --profile=aws-sso-role
[sso-session idc]
sso_start_url = xxxxx
sso_region = xxxxx
sso_registration_scopes = sso:account:access
{code}
```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
