Support STSAssumeRoleWithWebIdentitySessionCredentialsProvider?

[ipl31]

Hello,

Python 3.7.8, amazon-kclpy verion 2.0.6

Use case is a Kinesis consumer running in EKS, with a service account IAM role providing a web identity token to the pod. The consumer pod needs to assume a role in a different AWS account.

I attempted to use STSAssumeRoleWithWebIdentitySessionCredentialsProvider in my properties file as such:

AWSCredentialsProvider = STSAssumeRoleWithWebIdentitySessionCredentialsProvider|arn:aws-us-gov:iam::123456789:role/my_role|my_session|/var/run/secrets/eks.amazonaws.com/serviceaccount/token

I could not find any docs indicating if this work or if it is supported. Guessed the arguments by looking at the Java SDK source code.

It fails with this exceptions and stack trace:

java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
	at software.amazon.kinesis.multilang.config.KinesisClientLibConfigurator.lambda$getConfiguration$0(KinesisClientLibConfigurator.java:67)
	at java.base/java.lang.Iterable.forEach(Iterable.java:75)
	at java.base/java.util.Collections$SynchronizedCollection.forEach(Collections.java:2067)
	at software.amazon.kinesis.multilang.config.KinesisClientLibConfigurator.getConfiguration(KinesisClientLibConfigurator.java:63)
	at software.amazon.kinesis.multilang.MultiLangDaemonConfig.<init>(MultiLangDaemonConfig.java:108)
	at software.amazon.kinesis.multilang.MultiLangDaemonConfig.<init>(MultiLangDaemonConfig.java:81)
	at software.amazon.kinesis.multilang.MultiLangDaemonConfig.<init>(MultiLangDaemonConfig.java:65)
	at software.amazon.kinesis.multilang.MultiLangDaemon.buildMultiLangDaemonConfig(MultiLangDaemon.java:171)
	at software.amazon.kinesis.multilang.MultiLangDaemon.main(MultiLangDaemon.java:220)
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.apache.commons.beanutils.PropertyUtilsBean.invokeMethod(PropertyUtilsBean.java:2128)
	at org.apache.commons.beanutils.PropertyUtilsBean.setSimpleProperty(PropertyUtilsBean.java:2109)
	at org.apache.commons.beanutils.PropertyUtilsBean.setNestedProperty(PropertyUtilsBean.java:1915)
	at org.apache.commons.beanutils.PropertyUtilsBean.setProperty(PropertyUtilsBean.java:2022)
	at org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:1018)
	at software.amazon.kinesis.multilang.config.KinesisClientLibConfigurator.lambda$getConfiguration$0(KinesisClientLibConfigurator.java:65)
	... 8 more
Caused by: java.lang.IllegalArgumentException: No credential providers specified
	at com.amazonaws.auth.AWSCredentialsProviderChain.<init>(AWSCredentialsProviderChain.java:59)
	at software.amazon.kinesis.multilang.config.AWSCredentialsProviderPropertyValueDecoder.decodeValue(AWSCredentialsProviderPropertyValueDecoder.java:57)
	at software.amazon.kinesis.multilang.config.MultiLangDaemonConfiguration.lambda$new$0(MultiLangDaemonConfiguration.java:249)
	at software.amazon.kinesis.multilang.config.BuilderDynaBean.set(BuilderDynaBean.java:258)
	at software.amazon.kinesis.multilang.config.MultiLangDaemonConfiguration.setAWSCredentialsProvider(MultiLangDaemonConfiguration.java:176)
	... 18 more
java.lang.reflect.InvocationTargetException

Is it supported? If so how do I properly configure it?

[jlane67]

It looks like the existing import of the Java SDK's auth module is sufficient to pull this in with a sufficiently new SDK release, so it may be as simple as updating the target SDK version.

https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-sts/src/main/java/com/amazonaws/auth/STSAssumeRoleWithWebIdentitySessionCredentialsProvider.java