Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-9686

Flink Kinesis Producer: Enable Kinesis authentication via AssumeRole

    XMLWordPrintableJSON

    Details

      Description

      Current situation:

      FlinkKinesisProducer can authenticate with Kinesis by retrieving credentials via one of the following mechanisms:

      • Environment variables
      • System properties
      • An AWS profile
      • Directly provided credentials (BASIC)
      • AWS's own default heuristic (AUTO)

      For streaming across AWS accounts, it is considered good practise to enable access to the remote Kinesis stream via a role, rather than passing credentials for the remote account.

      Proposed change:

      Add a new credentials provider specifying a role ARN, session name, and an additional credentials provider supplying the credentials for assuming the role.

      Config example for assuming role <role-arn> with auto-detected credentials:{{}}

      aws.credentials.provider: ASSUME_ROLE
      aws.credentials.provider.role.arn: <role-arn>
      aws.credentials.provider.role.sessionName: my-session-name
      aws.credentials.provider.role.provider: AUTO
      

      ASSUME_ROLE credentials providers can be nested, i.e. it is possible to assume a role which in turn is allowed to assume another role:

      aws.credentials.provider: ASSUME_ROLE
      aws.credentials.provider.role.arn: <role-arn>
      aws.credentials.provider.role.sessionName: my-session-name
      aws.credentials.provider.role.provider: ASSUME_ROLE
      aws.credentials.provider.role.provider.role.arn: <nested-role-arn>
      aws.credentials.provider.role.provider.role.sessionName: my-nested-session-name
      aws.credentials.provider.role.provider.role.provider: AUTO
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                fmthoma Franz Thoma
                Reporter:
                fmthoma Franz Thoma
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: