Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added aws-java-sdk-sts to jar-dependencies #70

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Added aws-java-sdk-sts to jar-dependencies #70

wants to merge 7 commits into from

Conversation

mmatviyiv
Copy link

@mmatviyiv mmatviyiv commented Feb 5, 2018
edited
Loading

This would allow using STSAssumeRoleSessionCredentialsProvider for assume-roles authorization, for example in case of cross account signin.

Properties example:

AWSCredentialsProvider = STSAssumeRoleSessionCredentialsProvider|arn:aws:iam::<uid>:role/<role_name>|<session>

@jiawen-earnin
Copy link

@mmatviyiv STSAssumeRoleSessionCredentialsProvider class is already deprecated(https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/STSAssumeRoleSessionCredentialsProvider.html). I assume that STSAssumeRoleSessionCredentialsProvider is not supported in kcl. Have you tried to run your consumer code when you set the AWSCredentialsProvider as STSAssumeRoleSessionCredentialsProvider in property file successfully? There is an error in my side: "Unable to load AWS credentials from any provider in the chain".

@jiawen-earnin jiawen-earnin mentioned this pull request Mar 28, 2018
Open
@mmatviyiv
Copy link
Author

hi @jiawen-earnin thanks for your comment
yes, looks like this class is deprecated but anyway it still does work fine for me on version 1.11.151

Could you show your app .properties file? It should contain something like:

AWSCredentialsProvider = STSAssumeRoleSessionCredentialsProvider|arn:aws:iam::<uid>:role/<role_name>|<session>

uid, role_name, session are required

Also, please check your ~/.aws/credentials to make sure you have defined the assume role correctly
And double check that your app has used these two AWS env variables: AWS_REGION, AWS_DEFAULT_PROFILE

@jiawen-earnin
Copy link

Hi @mmatviyiv Yeah, I defined the AWSCredentialsProvider = STSAssumeRoleSessionCredentialsProvider|arn:aws:iam:::role/|<session_name>
session_name is randomly picked. Should I define the assume role in ~/.aws/credentials or ~/.aws/config? In my credentials file I defined something like this:
[default]
aws_access_key_id=my_access_key_id
aws_secret_access_key=my_aws_secret_access_key

and in my config file I defined something like this:
[default]
region = us-west-2
[profile my_profile_name]
role_arn = my_role_arn
region = us-west-2
source_profile = default

then I export the AWS_PROFILE variable in the following way:
export AWS_PROFILE = my_profile_name
so that the app can run according to the IAM role locally.
My consumer app is written based on the sample kcl consumer example. Do you know where should I defined AWS_REGION and AWS_DEFAULT_PROFILE? Thanks

@mmatviyiv
Copy link
Author

mmatviyiv commented Mar 28, 2018
edited
Loading

@jiawen-earnin I just duplicated a part of AWS configs to both ~/.aws/config and ~/.aws/credentials, here they are:

config:

[default]
region=us-west-2

[profile my_profile_name]
role_arn = arn:aws:iam::88888888888:role/MyRoleName
region=us-west-2
source_profile = default

credentials:

[default]
aws_access_key_id=my_access_key_id
aws_secret_access_key=my_aws_secret_access_key

[my_profile_name]
role_arn = arn:aws:iam::88888888888:role/MyRoleName
source_profile = default

Also, I noticed that exporting just AWS_PROFILE might not be enough, so my launch bash script contains this:

#!/usr/bin/env sh

export AWS_DEFAULT_REGION=us-west-2
export AWS_REGION=us-west-2
export AWS_DEFAULT_PROFILE=my_profile_name

# show assume-role and the active session, nice for debugging
aws configure list
aws sts get-caller-identity

python3 bin/auditit.properties.py
$(python3 /amazon-kinesis-client-python/samples/amazon_kclpy_helper.py --print_command --java java --properties bin/auditit.properties)

@jiawen-earnin
Copy link

Hi @mmatviyiv Thank you ! But I have found something else interesting. There is a cli/cache/ directory be created and there is a json file in it which includes the info like this:
{ "Credentials":{ "AccessKeyId":"my_access_key_id", "SecretAccessKey":"my_secret_access_key", "SessionToken":"my_session_token", "Expiration":"2018-03-27T19:05:42Z" }, "AssumedRoleUser":{ "AssumedRoleId":"my_assumed_roleId", "Arn":"my_arn" }, "ResponseMetadata":{ "RequestId":"my_request_id", "HTTPStatusCode":200, "HTTPHeaders":{ "x-amzn-requestid":"requestId", "content-type":"text/xml", "content-length":"1142", "date":"date" }, "RetryAttempts":0 }

The sessionToken seems to be expired. Do you think that if I use STSAssumeRoleSessionCredentialsProvider, a temporary credentials will be created. I delete that json file in cache folder but the error "unable to load aws credentials" still appears. Did you met this issue before and how did you handle that ? Thanks

@mmatviyiv
Copy link
Author

@jiawen-earnin no, unfortunately, didn't meet such cache. But anyway try to check your AWS config with those commands:

aws configure list
aws sts get-caller-identity

Just type it into your system console and check the output, it should show if there are any issues with your configuration

@holmesjr
Copy link

Has this repo been abandoned? This has been siting for months.

@Jtcollins Jtcollins mentioned this pull request Mar 27, 2019
Open
@kanghuiliu-wyze
Copy link

any update on this ? still not able to use assume role credentials~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mmatviyiv @jiawen-earnin @holmesjr @kanghuiliu-wyze