[
https://issues.apache.org/jira/browse/FLINK-34490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820207#comment-17820207
]
Aleksandr Pilipenko commented on FLINK-34490:
-
Currently, AWS connectors don't support extracting credentials from
configuration files.
As described in the [connector
documentation:|https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/connectors/datastream/kinesis/#configuring-access-to-kinesis-with-iam]
{quote}PROFILE - Use AWS credentials profile file to create the AWS credentials.
{quote}
> flink-connector-kinesis not correctly supporting credential chaining
>
>
> Key: FLINK-34490
> URL: https://issues.apache.org/jira/browse/FLINK-34490
> Project: Flink
> Issue Type: Bug
> Components: Connectors / Kinesis
>Affects Versions: aws-connector-4.2.0, 1.17.2
>Reporter: Eddie Ramirez
>Assignee: Aleksandr Pilipenko
>Priority: Major
> Attachments: Flink Credential Chaining.png
>
>
> When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does
> not correctly follow the chain of credentials.
>
> *Expected Result*
> `{{{}flink-connector-kinesis{}}}` should follow the
> `{{{}source_profile{}}}` for each respective profile in
> `{{{}~/.aws/config{}}}` to ultimately determine credentials.
>
> *Observed Result*
> `{{{}flink-connector-kinesis{}}}` only follows the first matching
> `{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors
> out because there is no credentials for that profile.
> {code:java}
> org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to
> load credentials into profile [profile intermediate-role]: AWS Access Key ID
> is not specified
> {code}
>
> *Configuration*
> connector config
> {code:java}
> aws.credentials.provider: PROFILE
> aws.credentials.profile.name: flink-access-role{code}
>
> aws `{{{}~/.aws/config{}}}` file
> {code:java}
> [profile flink-access-role]
> role_arn = arn:aws:iam::x:role/flink-access-role
> source_profile = intermediate-role
> [profile intermediate-role]
> role_arn = arn:aws:iam::x:role/intermediate-role
> source_profile = aws-sso-role
> [profile aws-sso-role]
> sso_session = idc
> sso_role_name = x
> sso_account_id = x
> credential_process = aws configure export-credentials --profile=aws-sso-role
> [sso-session idc]
> sso_start_url = x
> sso_region = x
> sso_registration_scopes = sso:account:access
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)