[ https://issues.apache.org/jira/browse/FLINK-34490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17820207#comment-17820207 ]
Aleksandr Pilipenko edited comment on FLINK-34490 at 2/23/24 9:16 PM: ---------------------------------------------------------------------- Currently, AWS connectors don't support extracting credentials from configuration files (.aws/config). As described in the [connector documentation:|https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/connectors/datastream/kinesis/#configuring-access-to-kinesis-with-iam] {quote}PROFILE - Use AWS credentials profile file to create the AWS credentials. {quote} Credentials files have a [different format|https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format] from configuration files and do not support the properties described in the ticket. was (Author: a.pilipenko): Currently, AWS connectors don't support extracting credentials from configuration files. As described in the [connector documentation:|https://nightlies.apache.org/flink/flink-docs-release-1.18/docs/connectors/datastream/kinesis/#configuring-access-to-kinesis-with-iam] {quote}PROFILE - Use AWS credentials profile file to create the AWS credentials. {quote} > flink-connector-kinesis not correctly supporting credential chaining > -------------------------------------------------------------------- > > Key: FLINK-34490 > URL: https://issues.apache.org/jira/browse/FLINK-34490 > Project: Flink > Issue Type: Bug > Components: Connectors / Kinesis > Affects Versions: aws-connector-4.2.0, 1.17.2 > Reporter: Eddie Ramirez > Assignee: Aleksandr Pilipenko > Priority: Major > Attachments: Flink Credential Chaining.png > > > When using AWS credential chaining, `{{{}flink-connector-kinesis{}}}` does > not correctly follow the chain of credentials. > > *Expected Result* > `{{{}flink-connector-kinesis{}}}` should follow the > `{{{}source_profile{}}}` for each respective profile in > `{{{}~/.aws/config{}}}` to ultimately determine credentials. > > *Observed Result* > `{{{}flink-connector-kinesis{}}}` only follows the first matching > `{{{}source_profile{}}}` specified in `{{{}~/.aws/config{}}}` and then errors > out because there is no credentials for that profile. > {code:java} > org.apache.flink.kinesis.shaded.com.amazonaws.SdkClientException: Unable to > load credentials into profile [profile intermediate-role]: AWS Access Key ID > is not specified > {code} > > *Configuration* > connector config > {code:java} > aws.credentials.provider: PROFILE > aws.credentials.profile.name: flink-access-role{code} > > aws `{{{}~/.aws/config{}}}` file > {code:java} > [profile flink-access-role] > role_arn = arn:aws:iam::xxxxxxxxx:role/flink-access-role > source_profile = intermediate-role > [profile intermediate-role] > role_arn = arn:aws:iam::xxxxxxxxx:role/intermediate-role > source_profile = aws-sso-role > [profile aws-sso-role] > sso_session = idc > sso_role_name = xxxxx > sso_account_id = xxxxx > credential_process = aws configure export-credentials --profile=aws-sso-role > [sso-session idc] > sso_start_url = xxxxx > sso_region = xxxxx > sso_registration_scopes = sso:account:access > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)