[ 
https://issues.apache.org/jira/browse/NIFI-12846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Peter Turcsanyi updated NIFI-12846:
-----------------------------------
    Status: Patch Available  (was: Open)

> AWS Assume Role Credentials with VPCE Endpoint URL cannot handle the Region 
> ----------------------------------------------------------------------------
>
>                 Key: NIFI-12846
>                 URL: https://issues.apache.org/jira/browse/NIFI-12846
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.25.0
>            Reporter: Peter Turcsanyi
>            Assignee: Peter Turcsanyi
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In case of custom Endpoint URLs, the AWS client library may be able to parse 
> the Region from the URL but can not handle VPCE URLs (e.g. 
> [https://vpce-****************{*}-{*}*******-eu-central-1a.sts.eu-central-1.vpce.amazonaws.com).|https://vpce-%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A-%2A%2A%2A%2A%2A%2A%2A%2A-eu-central-1a.sts.eu-central-1.vpce.amazonaws.com)./]
> {code:java}
> 2024-02-27 13:13:04,102 ERROR [Timer-Driven Process Thread-1] 
> o.apache.nifi.processors.aws.s3.ListS3 
> ListS3[id=d5e08c19-a155-3b34-e9e6-dbd70e048cd1] Failed to list contents of 
> bucket
> com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 
> Credential should be scoped to a valid region. (Service: 
> AWSSecurityTokenService; Status Code: 403; Error Code: SignatureDoesNotMatch; 
> Request ID: 7820b219-dee5-4989-8d0c-46523
> 1469705; Proxy: null)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
>         at 
> com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
>         at 
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
>         at 
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
>         at 
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1731)
>         at 
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1698)
>         at 
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1687)
>         at 
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:532)
>         at 
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:501)
>         ... {code}
> Use the explicit Region property (added in NIFI-10791) for VPCE endpoints.
> The issue affects the 1.x line only. In NiFi 2.0, the AWS processors 
> (including the credential handling) have been refactored (NIFI-12144).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to