Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Nifi PutS3Object error with AMI Role (AwsCredentialsProviderControlerService)

Super Collaborator

In Nifi with the PutS3Object, we get an error using AWS Credentials Provider service.

AwsCredentialsProviderControlerService is configured to use IAM roles as follows:


Use Default Credentials = True
Use Anonymous Credentials = False
Assume Role ARN = arn:aws:iam::ahjhdiauisjkk:role/role-test
Assume Role Session Name = nifitest (*arbitary name*)
Session time = 3600

No other values are set in the AwsCredentialsProviderControlerService

We are using IAM roles because of organizational policies.

The error is loosely transcribe here (it may contain typos):

13:40:46 EDT - All Nodes - ERROR
PutS3Object[id=asdfasdfasdfasdf] Failed to put StandardFlowFileRecord[uuid=xxxxxxxx,claim=StandardContentClaim[resourceClaim=StandardResourceClaim[id=11111111, container=default,section=1], offset=0,length=222222],offset=1,name=test3,size=33333] to Amazon S2 due to com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) 
com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) 

Thanks for any help.

Jim

1 ACCEPTED SOLUTION

Expert Contributor

@james.jones

Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000.

see if this helps http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

View solution in original post

3 REPLIES 3

Expert Contributor
com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node.

that probably is the root cause, you may have to give cross role permission in AWS IAM , to the credential taht is setup on the ec2 node hosting nifi.

Super Collaborator

Thanks @Karthik Narayanan. We do not see an option for cross role permission. Would it have another name? They did grant "Assumerole" but it is actually the same account so I'm not sure why it would need to assume a role in the first place.

Expert Contributor

@james.jones

Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000.

see if this helps http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.