Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15620 Über-jira: S3A phase VI: Hadoop 3.3 features
  3. HADOOP-15672

add s3guard CLI command to generate session keys for an assumed role

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.2.0
    • Fix Version/s: 3.3.0
    • Component/s: fs/s3
    • Labels:
      None

      Description

      the aws cli get-session-token can generate the keys for short-lived session.

      I'd like something similar in an s3guard command, e.g. "create-role-keys", which would take the existing (full) credentials and optionally:

      • ARN of role to adopt
      • duration
      • name
      • restrictions as path to a JSON file or just stdin
      • output format
      • whether to use a per-bucket binding for the credentials in the property names generated
      • MFA secrets

      output formats

      • A JCEKS file (with chosen passwd? For better hive use: append/replace entries in existing file); saved through the hadoop FS APIs to HDFS, file:// or elsewhere
      • hadoop config XML
      • spark properties

      The goal here is to have a workflow where you can generate role credentials to use for a limited time, store them in a JCEKS file and then share them in your jobs. This can be for: Jenkins, Oozie, build files, ..

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                stevel@apache.org Steve Loughran
                Reporter:
                stevel@apache.org Steve Loughran
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: