Hi,
I'm using Flink StreamingFileSink running in one AWS account (A) to another
(B). I'm also leveraging a SecurityConfiguration in the CFN to assume a
role in account B so that when I write there the files are owned by account
B which then in turn allows account B to delegate to other AWS accounts (C
and D). The reason these files must be owned by the other account is
because AWS doesn't support cross account delegation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example4.html
SecurityConfiguration:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
AuthorizationConfiguration:
EmrFsConfiguration:
RoleMappings:
- Role: arn:aws:iam::<B-account>:role/EMR_EC2_DefaultRole
IdentifierType: Prefix
Identifiers:
- s3://my-bucket/prefix/
- Role: arn:aws:iam::<B-account>:role/EMR_DefaultRole
IdentifierType: Prefix
Identifiers:
- s3://my-bucket/prefix/
I've referenced this in my Cluster block as well:
ReleaseLabel: !Ref ReleaseLabel
SecurityConfiguration: !Ref SecurityConfiguration
ScaleDownBehavior: TERMINATE_AT_TASK_COMPLETION
For some reason the files are still owned by account A. It seems like Flink
is using the old Hadoop FS implementation instead of EMRFS which should (I
believe) grant the proper ownership so that bucket permissions can apply to
the written objects and in turn delegate read permissinos to accounts C, D
ect.
Any help would be greatly appreciated.
Thanks,
Peter
