Hey there,
Checking if Flink kinesis connector (using 1.15.2 version) EFO can do
cross-accounts? My configuration looks like this:
if (kinesisIamRole != null && !kinesisIamRole.isEmpty()) {
kinesisConsumerProps.put(AWSConfigConstants.AWS_ROLE_ARN, kinesisIamRole);
kinesisConsumerProps.put(AWSConfigConstants.AWS_CREDENTIALS_PROVIDER,
"ASSUME_ROLE");
kinesisConsumerProps.put(AWSConfigConstants.AWS_ROLE_SESSION_NAME,
"flink-kinesis-kafka-connector-session");
}
if (kinesisUseEfo && kinesisEfoConsumerName != null &&
!kinesisEfoConsumerName.isBlank()) {
kinesisConsumerProps.put(ConsumerConfigConstants.RECORD_PUBLISHER_TYPE,
ConsumerConfigConstants.RecordPublisherType.EFO.name());
kinesisConsumerProps.put(ConsumerConfigConstants.EFO_CONSUMER_NAME,
kinesisEfoConsumerName);
}
And from docs I’m expecting that to just flow thru. All the IAM policies and
permissions have been set. However, we get the ff error (xxx is the AWS account
where the Flink job is hosted and not where the kinesis stream is):
Caused by: java.util.concurrent.ExecutionException:
org.apache.flink.kinesis.shaded.software.amazon.awssdk.services.kinesis.model.KinesisException:
User:
arn:aws:sts::xxx:assumed-role/flink-flinkkinesiskafkaconnector0d95fc3-role-ap-southeast-2/aws-sdk-java-xxx
is not authorized to perform: kinesis:DescribeStreamSummary on resource:
arn:aws:kinesis:us-west-2:xxx:stream/dev-logs because no identity-based policy
allows the kinesis:DescribeStreamSummary action
