[GitHub] [nifi] zhangzhonglai commented on pull request #7045: NIFI-11288 Add missing dependencies required by AWS AssumeRoleWithWebIdentity method

["zhangzhonglai (via GitHub)" <gi...@apache.org>]

zhangzhonglai commented on PR #7045:
URL: https://github.com/apache/nifi/pull/7045#issuecomment-1595949840

   Thanks for your reply, @nandorsoma. In our case, it's a bit complicated, we use NiFi in AWS EKS. Due to permissions issues, the ops will provide me with a service account that has the IAM role authenticated by OIDC, this service account will add an ENV: `AWS_WEB_IDENTITY_TOKEN_FILE : /var/run/secrets/eks.amazonaws.com/serviceaccount/token`  to the Pod. In the NiFi, I use the `AWSCredentialsProviderControllerService` processor and by setting `Use Default Credentials` to `true`, then I can read the temporary permissions provided by the STS to access AWS related services. Without this environment variable, the `AWSCredentialsProviderControllerService` will report an error: 
   ```
   2023-03-14 15:56:44,700 DEBUG [Timer-Driven Process Thread-2] c.a.auth. AWSCredentialsProviderChain Unable to load credentials from WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk- sts module must be on the class path. 
   ```
   I think the key is the AWS_WEB_IDENTITY_TOKEN_FILE environment variable, which the AWS client will use to get the information it needs.
   
   Some related urls:
   
   * https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
   * https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org