Hey there,
Checking if Flink kinesis connector (using 1.15.2 version) EFO can do
cross-accounts? My configuration looks like this:
if (kinesisIamRole != null && !kinesisIamRole.isEmpty()) {
kinesisConsumerProps.put(AWSConfigConstants.AWS_ROLE_ARN, kinesisIamRole);
kinesisConsumerProps.put(AWSConfigConstants.AWS_CREDENTIALS_PROVIDER,
"ASSUME_ROLE");
kinesisConsumerProps.put(AWSConfigConstants.AWS_ROLE_SESSION_NAME,
"flink-kinesis-kafka-connector-session");
}
if (kinesisUseEfo && kinesisEfoConsumerName != null &&
!kinesisEfoConsumerName.isBlank()) {
kinesisConsumerProps.put(ConsumerConfigConstants.RECORD_PUBLISHER_TYPE,
ConsumerConfigConstants.RecordPublisherType.EFO.name());
kinesisConsumerProps.put(ConsumerConfigConstants.EFO_CONSUMER_NAME,
kinesisEfoConsumerName);
}
And from docs I’m expecting that to just flow thru. All the IAM policies and
permissions have been set. However, we get the ff error (xxx is the AWS account
where the Flink job is hosted and not where the kinesis stream is):
Causedby: java.util.concurrent.ExecutionException:
org.apache.flink.kinesis.shaded.software.amazon.awssdk.services.kinesis.model.KinesisException:
User:
arn:aws:sts::xxx:assumed-role/flink-flinkkinesiskafkaconnector0d95fc3-role-ap-southeast-2/aws-sdk-java-xxxis
notauthorized to perform: kinesis:DescribeStreamSummaryonresource:
arn:aws:kinesis:us-west-2:xxx:stream/dev-logs because no identity-based policy
allows the kinesis:DescribeStreamSummaryaction
Cheers, Iris.
--
Iris Grace Endozo, Senior Software Engineer
Mob +61 435 108 697
E iris.end...@gmail.com
