Support Questions

Find answers, ask questions, and share your expertise

Nifi PutS3Object error with AMI Role (AwsCredentialsProviderControlerService)

avatar
Super Collaborator

In Nifi with the PutS3Object, we get an error using AWS Credentials Provider service.

AwsCredentialsProviderControlerService is configured to use IAM roles as follows:


Use Default Credentials = True
Use Anonymous Credentials = False
Assume Role ARN = arn:aws:iam::ahjhdiauisjkk:role/role-test
Assume Role Session Name = nifitest (*arbitary name*)
Session time = 3600

No other values are set in the AwsCredentialsProviderControlerService

We are using IAM roles because of organizational policies.

The error is loosely transcribe here (it may contain typos):

13:40:46 EDT - All Nodes - ERROR
PutS3Object[id=asdfasdfasdfasdf] Failed to put StandardFlowFileRecord[uuid=xxxxxxxx,claim=StandardContentClaim[resourceClaim=StandardResourceClaim[id=11111111, container=default,section=1], offset=0,length=222222],offset=1,name=test3,size=33333] to Amazon S2 due to com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) 
com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) 

Thanks for any help.

Jim

1 ACCEPTED SOLUTION

avatar
Super Collaborator

@james.jones

Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000.

see if this helps http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

View solution in original post

3 REPLIES 3

avatar
Super Collaborator
com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node.

that probably is the root cause, you may have to give cross role permission in AWS IAM , to the credential taht is setup on the ec2 node hosting nifi.

avatar
Super Collaborator

Thanks @Karthik Narayanan. We do not see an option for cross role permission. Would it have another name? They did grant "Assumerole" but it is actually the same account so I'm not sure why it would need to assume a role in the first place.

avatar
Super Collaborator

@james.jones

Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000.

see if this helps http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html