Support Questions

james_jones · ‎09-26-2017

In Nifi with the PutS3Object, we get an error using AWS Credentials Provider service.

AwsCredentialsProviderControlerService is configured to use IAM roles as follows:

Use Default Credentials = True
Use Anonymous Credentials = False
Assume Role ARN = arn:aws:iam::ahjhdiauisjkk:role/role-test
Assume Role Session Name = nifitest (*arbitary name*)
Session time = 3600

No other values are set in the AwsCredentialsProviderControlerService

We are using IAM roles because of organizational policies.

The error is loosely transcribe here (it may contain typos):

13:40:46 EDT - All Nodes - ERROR
PutS3Object[id=asdfasdfasdfasdf] Failed to put StandardFlowFileRecord[uuid=xxxxxxxx,claim=StandardContentClaim[resourceClaim=StandardResourceClaim[id=11111111, container=default,section=1], offset=0,length=222222],offset=1,name=test3,size=33333] to Amazon S2 due to com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) 
com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa)

Thanks for any help.

Jim

knarayanan · ‎09-28-2017

@james.jones

Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000.

see if this helps http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

View solution in original post

knarayanan · ‎09-27-2017

com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node.

that probably is the root cause, you may have to give cross role permission in AWS IAM , to the credential taht is setup on the ec2 node hosting nifi.

james_jones · ‎09-27-2017

Thanks @Karthik Narayanan. We do not see an option for cross role permission. Would it have another name? They did grant "Assumerole" but it is actually the same account so I'm not sure why it would need to assume a role in the first place.

knarayanan · ‎09-28-2017

@james.jones

Hi not sure what it is called, but the what i think has to happen is the credentials that you are using for your ec2 machine, if that is xyz. You need allow xyz to impersonate arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000.

see if this helps http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Cloudera Community

Support Questions

Nifi PutS3Object error with AMI Role (AwsCredentialsProviderControlerService)