-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kafka-connect-s3 - Trusted Account Credentials Documentation #366
Comments
@Tamir-Schwarz How it worked for you? I am getting following error:
|
@hafizmujadidKhalid Getting the same error, did you find a way to solve? |
No, it did not work for me. |
same problem |
Lines 806 to 837 in c633f08
Lines 172 to 176 in c633f08
Lines 86 to 101 in c633f08
first glance it looks like the credential provider is being invoked correctly. we don't see similar issues when using a regular role so it's something related to the assume role configuration. |
Im also getting the same error using localstack and root role. Any updates on this? Also, specifying AWS_REGION ENV variable gives another error:
|
Region issue still happening |
This passes the `s3.region` configuration value into credential providers. It also updates the AwsAssumeRoleCredentialsProvider to specify a region when building a AWSSecurityTokenServiceClient. Fixes confluentinc#366
This adds a `region` configuration item for the AwsAssumeRoleCredentialsProvider. It is used when building a AWSSecurityTokenServiceClient. It not specified, uses the default region selector. Fixes confluentinc#366
https://docs.confluent.io/kafka-connectors/s3-sink/current/overview.html#credentials-providers is still using I believe we're also running into @hafizmujadidKhalid's issue:
and get the following error
|
getting the same issue |
Hi,
We are using kafka-connect-s3 connector version 5.5.1.
We tried to use the Trusted Account Credentials feature.
According to the documentation,
we need to add the following properties:
s3.credentials.provider.class=AwsAssumeRoleCredentialsProvider sts.role.arn=arn:aws:iam::012345678901:role/my-restricted-role sts.role.session.name=session-name sts.role.external.id=external-id
It didn't work for us.
After digging the code,
we found that in order to make it work we need to add a prefix 's3.credentials.provider' to 'sts.role.arn', 'sts.role.session.name' and 'sts.role.external.id'
Following is the configuration that worked for us:
s3.credentials.provider.class=AwsAssumeRoleCredentialsProvider s3.credentials.provider.sts.role.arn=arn:aws:iam::012345678901:role/my-restricted-role s3.credentials.provider.sts.role.session.name=session-name s3.credentials.provider.sts.role.external.id=external-id
In addition,
It worth mentioning that 'external.id' is mandatory, while it is not mandatory on AWS
The text was updated successfully, but these errors were encountered: