Thanks for troubleshooting this. I’m absolutely fine to add a method that will accept AWSCredentialsProvider.
Do you want to handle this and improve the IP finder implementation? We can grant you all the needed permissions in JIRA. https://issues.apache.org/jira/browse/IGNITE-4530 <https://issues.apache.org/jira/browse/IGNITE-4530> In any case, what I’ve learnt from your explanation is that a provider can refresh credentials. Does this mean that in general you can refresh your credentials manually by creating new/updated ones using AWS interface? — Denis > On Jan 6, 2017, at 5:00 AM, zshamrock <[email protected]> wrote: > > Ok, Denis. I found the issue. Could you, please, create the corresponding > JIRA issue for Apache Ignite project (it looks I don't have enough rights to > do it myself). > > The issue is the following (at least for Apache Ignite 1.7.0, but I guess > 1.8.0 will not be any different): > > - when you deploy Ignite on AWS (in clustered) you need to use > /TcpDiscoveryS3IpFinder/ > - /TcpDiscoveryS3IpFinder/ only has /setAwsCredentials/ which accepts > /AWSCredentials/ > - If you check the source code this is how then credentials is used > /s3 = cfg != null ? new AmazonS3Client(cred, cfg) : new > AmazonS3Client(cred);/ > inside /TcpDiscoveryS3IpFinder/ > - /AmazonS3Client/ has also another way to construct the client by passing > /AWSCredentialsProvider/ > / > public AmazonS3Client(AWSCredentialsProvider credentialsProvider) { > this(credentialsProvider, new ClientConfiguration()); > } > / > - If you pass /AWSCredentials/ in the S3 client instead it wraps in into > /StaticCredentialsProvider/ instead, i.e. > /public AmazonS3Client(AWSCredentials awsCredentials, ClientConfiguration > clientConfiguration) { > super(clientConfiguration); > this.awsCredentialsProvider = new > StaticCredentialsProvider(awsCredentials); > init(); > }/ > - S3 Amazon client (as all other AWS clients), never use credentials > directly, but instead call /awsCredentialsProvider.getCredentials()/ every > time credentials are required > > One of the available /AWSCredentialsProvider/ is > /InstanceProfileCredentialsProvider/ which /getCredentials()/ implementation > refresh the AWS credentials if required (following EC2 instance profile > workflow): > /public AWSCredentials getCredentials() { > if (needsToLoadCredentials()) > loadCredentials(); > if (expired()) { > throw new AmazonClientException( > "The credentials received from the Amazon EC2 metadata > service have expired"); > } > return credentials; > }/ > > So, the suggestion is to add support for /TcpDiscoveryS3IpFinder/ to accept > /AWSCredentialsProvider/ in addition to just only /AWSCredentials/, and then > passing it into underlying /AmazonS3Client/ (actually you can even wrap > /AWSCredentials/ into /StaticCredentialsProvider/ and always pass > /AWSCredentialsProvider/ into S3 client). > > > > > > -- > View this message in context: > http://apache-ignite-users.70518.x6.nabble.com/Old-AWS-SDK-version-why-tp9824p9932.html > Sent from the Apache Ignite Users mailing list archive at Nabble.com.
