[
https://issues.apache.org/jira/browse/NIFI-12846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Turcsanyi updated NIFI-12846:
-----------------------------------
Status: Patch Available (was: Open)
> AWS Assume Role Credentials with VPCE Endpoint URL cannot handle the Region
> ----------------------------------------------------------------------------
>
> Key: NIFI-12846
> URL: https://issues.apache.org/jira/browse/NIFI-12846
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.25.0
> Reporter: Peter Turcsanyi
> Assignee: Peter Turcsanyi
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In case of custom Endpoint URLs, the AWS client library may be able to parse
> the Region from the URL but can not handle VPCE URLs (e.g.
> [https://vpce-****************{*}-{*}*******-eu-central-1a.sts.eu-central-1.vpce.amazonaws.com).|https://vpce-%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A-%2A%2A%2A%2A%2A%2A%2A%2A-eu-central-1a.sts.eu-central-1.vpce.amazonaws.com)./]
> {code:java}
> 2024-02-27 13:13:04,102 ERROR [Timer-Driven Process Thread-1]
> o.apache.nifi.processors.aws.s3.ListS3
> ListS3[id=d5e08c19-a155-3b34-e9e6-dbd70e048cd1] Failed to list contents of
> bucket
> com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
> Credential should be scoped to a valid region. (Service:
> AWSSecurityTokenService; Status Code: 403; Error Code: SignatureDoesNotMatch;
> Request ID: 7820b219-dee5-4989-8d0c-46523
> 1469705; Proxy: null)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
> at
> com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
> at
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
> at
> com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1731)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1698)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1687)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:532)
> at
> com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:501)
> ... {code}
> Use the explicit Region property (added in NIFI-10791) for VPCE endpoints.
> The issue affects the 1.x line only. In NiFi 2.0, the AWS processors
> (including the credential handling) have been refactored (NIFI-12144).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
