https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193844#M68632 <P>In Nifi with the PutS3Object, we get an error using AWS Credentials Provider service.</P><P>AwsCredentialsProviderControlerService is configured to use IAM roles as follows:</P><P><BR />Use Default Credentials = True <BR />Use Anonymous Credentials = False <BR />Assume Role ARN = arn:aws:iam::ahjhdiauisjkk:role/role-test <BR />Assume Role Session Name = nifitest (*arbitary name*) <BR />Session time = 3600 <BR /><BR />No other values are set in the AwsCredentialsProviderControlerService</P><P>We are using IAM roles because of organizational policies.</P><P>The error is loosely transcribe here (it may contain typos):</P><PRE>13:40:46 EDT - All Nodes - ERROR PutS3Object[id=asdfasdfasdfasdf] Failed to put StandardFlowFileRecord[uuid=xxxxxxxx,claim=StandardContentClaim[resourceClaim=StandardResourceClaim[id=11111111, container=default,section=1], offset=0,length=222222],offset=1,name=test3,size=33333] to Amazon S2 due to com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) </PRE><P>Thanks for any help.</P><P>Jim</P> Wed, 27 Sep 2017 05:48:57 GMT james_jones 2017-09-27T05:48:57Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193844#M68632 <P>In Nifi with the PutS3Object, we get an error using AWS Credentials Provider service.</P><P>AwsCredentialsProviderControlerService is configured to use IAM roles as follows:</P><P><BR />Use Default Credentials = True <BR />Use Anonymous Credentials = False <BR />Assume Role ARN = arn:aws:iam::ahjhdiauisjkk:role/role-test <BR />Assume Role Session Name = nifitest (*arbitary name*) <BR />Session time = 3600 <BR /><BR />No other values are set in the AwsCredentialsProviderControlerService</P><P>We are using IAM roles because of organizational policies.</P><P>The error is loosely transcribe here (it may contain typos):</P><PRE>13:40:46 EDT - All Nodes - ERROR PutS3Object[id=asdfasdfasdfasdf] Failed to put StandardFlowFileRecord[uuid=xxxxxxxx,claim=StandardContentClaim[resourceClaim=StandardResourceClaim[id=11111111, container=default,section=1], offset=0,length=222222],offset=1,name=test3,size=33333] to Amazon S2 due to com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) </PRE><P>Thanks for any help.</P><P>Jim</P> Wed, 27 Sep 2017 05:48:57 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193844#M68632 james_jones 2017-09-27T05:48:57Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193845#M68633 <PRE>com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node.</PRE><P>that probably is the root cause, you may have to give cross role permission in AWS IAM , to the credential taht is setup on the ec2 node hosting nifi.</P> Wed, 27 Sep 2017 23:24:09 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193845#M68633 knarayanan 2017-09-27T23:24:09Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193846#M68634 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/10180/knarayanan.html" nodeid="10180">@Karthik Narayanan</A>. We do not see an option for cross role permission. Would it have another name? They did grant "Assumerole" but it is actually the same account so I'm not sure why it would need to assume a role in the first place.</P> Thu, 28 Sep 2017 01:48:29 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193846#M68634 james_jones 2017-09-28T01:48:29Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193847#M68635 <P><A rel="user" href="https://community.cloudera.com/users/2229/jamesjones.html" nodeid="2229">@james.jones</A> </P><P> Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000. </P><P>see if this helps <A href="http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html" target="_blank">http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html</A></P> Thu, 28 Sep 2017 20:53:40 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Nifi-PutS3Object-error-with-AMI-Role/m-p/193847#M68635 knarayanan 2017-09-28T20:53:40Z