Franz Thoma created FLINK-9686:
----------------------------------
Summary: Flink Kinesis Producer: Enable Kinesis authentication via
AssumeRole
Key: FLINK-9686
URL: https://issues.apache.org/jira/browse/FLINK-9686
Project: Flink
Issue Type: Improvement
Components: Kinesis Connector
Reporter: Franz Thoma
h2. Current situation:
FlinkKinesisProducer can authenticate with Kinesis by retrieving credentials
via one of the following mechanisms:
* Environment variables
* System properties
* An AWS profile
* Directly provided credentials (\{{BASIC}})
* AWS's own default heuristic (\{{AUTO}})
For streaming across AWS accounts, it is considered good practise to enable
access to the remote Kinesis stream via a role, rather than passing credentials
for the remote account.
h2. Proposed change:
Add a new credentials provider specifying a role ARN, session name, and an
additional credentials provider supplying the credentials for assuming the role.
Config example for assuming role {{<role-arn>}} with auto-detected
credentials:{{}}
{code:java}
aws.credentials.provider: ASSUME_ROLE
aws.credentials.provider.role.arn: <role-arn>
aws.credentials.provider.role.sessionName: my-session-name
aws.credentials.provider.role.provider: AUTO
{code}
{{ASSUME_ROLE}} credentials providers can be nested, i.e. it is possible to
assume a role which in turn is allowed to assume another role:
{code:java}
aws.credentials.provider: ASSUME_ROLE
aws.credentials.provider.role.arn: <role-arn>
aws.credentials.provider.role.sessionName: my-session-name
aws.credentials.provider.role.provider: ASSUME_ROLE
aws.credentials.provider.role.provider.role.arn: <nested-role-arn>
aws.credentials.provider.role.provider.role.sessionName: my-nested-session-name
aws.credentials.provider.role.provider.role.provider: AUTO
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
