subject:"\[jira\] \[Commented\] \(FLINK\-34490\) flink\-connector\-kinesis not correctly supporting credential chaining"

[jira] [Commented] (FLINK-34490) flink-connector-kinesis not correctly supporting credential chaining

2024-02-23 Thread Aleksandr Pilipenko (Jira)



[ 
https://issues.apache.org/jira/browse/FLINK-34490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820207#comment-17820207
 ] 

Aleksandr Pilipenko commented on FLINK-34490:
-

Currently, AWS connectors don't support extracting credentials from 
configuration files.

As described in the [connector 
documentation:|https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/connectors/datastream/kinesis/#configuring-access-to-kinesis-with-iam]
{quote}PROFILE - Use AWS credentials profile file to create the AWS credentials.
{quote}

> flink-connector-kinesis not correctly supporting credential chaining
> 
>
> Key: FLINK-34490
> URL: https://issues.apache.org/jira/browse/FLINK-34490
> Project: Flink
>  Issue Type: Bug
>  Components: Connectors / Kinesis
>Affects Versions: aws-connector-4.2.0, 1.17.2
>Reporter: Eddie Ramirez
>Assignee: Aleksandr Pilipenko
>Priority: Major
> Attachments: Flink Credential Chaining.png
>
>
> When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does 
> not correctly follow the chain of credentials.
>  
> *Expected Result*
>  `{{{}flink-connector-kinesis{}}}`  should follow the 
> `{{{}source_profile{}}}` for each respective profile in 
> `{{{}~/.aws/config{}}}` to ultimately determine credentials.
>  
> *Observed Result*
>  `{{{}flink-connector-kinesis{}}}` only follows the first matching 
> `{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors 
> out because there is no credentials for that profile.
> {code:java}
> org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to 
> load credentials into profile [profile intermediate-role]: AWS Access Key ID 
> is not specified
> {code}
>  
> *Configuration*
> connector config
> {code:java}
> aws.credentials.provider: PROFILE
> aws.credentials.profile.name: flink-access-role{code}
>  
> aws `{{{}~/.aws/config{}}}` file
> {code:java}
> [profile flink-access-role]
> role_arn = arn:aws:iam::x:role/flink-access-role
> source_profile = intermediate-role
> [profile intermediate-role]
> role_arn = arn:aws:iam::x:role/intermediate-role
> source_profile = aws-sso-role
> [profile aws-sso-role]
> sso_session = idc
> sso_role_name = x
> sso_account_id = x
> credential_process = aws configure export-credentials --profile=aws-sso-role
> [sso-session idc]
> sso_start_url = x
> sso_region = x
> sso_registration_scopes = sso:account:access
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (FLINK-34490) flink-connector-kinesis not correctly supporting credential chaining

2024-02-22 Thread Danny Cranmer (Jira)



[ 
https://issues.apache.org/jira/browse/FLINK-34490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17819641#comment-17819641
 ] 

Danny Cranmer commented on FLINK-34490:
---

Assigning to [~a.pilipenko] to take a look.

> flink-connector-kinesis not correctly supporting credential chaining
> 
>
> Key: FLINK-34490
> URL: https://issues.apache.org/jira/browse/FLINK-34490
> Project: Flink
>  Issue Type: Bug
>  Components: Connectors / Kinesis
>Affects Versions: aws-connector-4.2.0, 1.17.2
>Reporter: Eddie Ramirez
>Priority: Major
> Attachments: Flink Credential Chaining.png
>
>
> When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does 
> not correctly follow the chain of credentials.
>  
> *Expected Result*
>  `{{{}flink-connector-kinesis{}}}`  should follow the 
> `{{{}source_profile{}}}` for each respective profile in 
> `{{{}~/.aws/config{}}}` to ultimately determine credentials.
>  
> *Observed Result*
>  `{{{}flink-connector-kinesis{}}}` only follows the first matching 
> `{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors 
> out because there is no credentials for that profile.
> {code:java}
> org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to 
> load credentials into profile [profile intermediate-role]: AWS Access Key ID 
> is not specified
> {code}
>  
> *Configuration*
> connector config
> {code:java}
> aws.credentials.provider: PROFILE
> aws.credentials.profile.name: flink-access-role{code}
>  
> aws `{{{}~/.aws/config{}}}` file
> {code:java}
> [profile flink-access-role]
> role_arn = arn:aws:iam::x:role/flink-access-role
> source_profile = intermediate-role
> [profile intermediate-role]
> role_arn = arn:aws:iam::x:role/intermediate-role
> source_profile = aws-sso-role
> [profile aws-sso-role]
> sso_session = idc
> sso_role_name = x
> sso_account_id = x
> credential_process = aws configure export-credentials --profile=aws-sso-role
> [sso-session idc]
> sso_start_url = x
> sso_region = x
> sso_registration_scopes = sso:account:access
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (FLINK-34490) flink-connector-kinesis not correctly supporting credential chaining

[jira] [Commented] (FLINK-34490) flink-connector-kinesis not correctly supporting credential chaining

2 matches

Site Navigation

Mail list logo

Footer information