You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2018/08/14 20:14:00 UTC

[jira] [Created] (HADOOP-15672) add s3guard CLI command to generate session keys for an assumed role

Steve Loughran created HADOOP-15672:
---------------------------------------

             Summary: add s3guard CLI command to generate session keys for an assumed role
                 Key: HADOOP-15672
                 URL: https://issues.apache.org/jira/browse/HADOOP-15672
             Project: Hadoop Common
          Issue Type: Sub-task
          Components: fs/s3
    Affects Versions: 3.2
            Reporter: Steve Loughran


the aws cli [get-session-token|https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html] can generate the keys for short-lived session.

I'd like something similar in an s3guard command, e.g. "create-role-keys", which would take the existing (full) credentials and optionally: 
 * ARN of role to adopt
 * duration
 * name
 * restrictions as path to a JSON file or just stdin
 * output format
 * whether to use a per-bucket binding for the credentials in the property names generated
 * MFA secrets

output formats
* A JCEKS file (with chosen passwd? For better hive use: append/replace entries in existing file); saved through the hadoop FS APIs to HDFS, file:// or elsewhere
* hadoop config XML
* spark properties

The goal here is to have a workflow where you can generate role credentials to use for a limited time, store them in a JCEKS file and then share them in your jobs. This can be for: Jenkins, Oozie, build files, ..





--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org