hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13389) TestS3ATemporaryCredentials.testSTS error
Date Wed, 20 Jul 2016 04:59:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385333#comment-15385333

Chris Nauroth commented on HADOOP-13389:

[~slider], thank you for the further details.  I think I understand now.  It sounds like you
are trying to run the S3A test suite without an AWS access key ID and secret access key, instead
relying on instance profile credentials provided in an EC2 VM.

The simplest immediate workaround for you is likely to set the following in your auth-keys.xml


However, I also agree that if the instance profile credentials are never suitable for this
test case, then we would do well to remove {{InstanceProfileCredentialsProvider}} from the
test and add explicit detection to {{skip}} if there is no access key ID and secret access
key.  {{S3AUtils#getAWSAccessKeys}} and {{S3xLoginHelper}} class are likely to be helpful
for that logic.

> TestS3ATemporaryCredentials.testSTS error
> -----------------------------------------
>                 Key: HADOOP-13389
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13389
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/s3
>            Reporter: Steven K. Wong
> {{org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS}} throws a 403 AccessDenied
when run without any AWS credentials (access key and secret key) in the config.
> {noformat}
> com.amazonaws.AmazonServiceException: Cannot call GetSessionToken with session credentials
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID:
> 	at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
> 	at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
> 	at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
> 	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
> 	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1106)
> 	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.getSessionToken(AWSSecurityTokenServiceClient.java:355)
> 	at org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS(TestS3ATemporaryCredentials.java:105)
> {noformat}
> It fails because the InstanceProfileCredentialsProvider in the credentials chain (on
line 91) is used, but an instance profile always provides a temporary credential and GetSessionToken
requires a long-term (not temporary) credential.
> Suggestion on how to fix this test case?

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message