S3SinkConnector sts.role.arn not being honored

Hi there,

We have the S3SinkConnector installed in our Confluent Kafka Connect Docker image and while using the AWS secret keys it’s working, we are not able to make it work using IAM roles.

Our Confluent Kafka platform is running on EKS and is deployed by using Confluent Helm charts

We create our connector with this parameters:

"s3.credentials.provider.class": "io.confluent.connect.s3.auth.AwsAssumeRoleCredentialsProvider",
"s3.credentials.provider.sts.role.arn": "arn:aws:iam::XXXXXXXXX:role/kafka-connect-s3-sink",
"s3.credentials.provider.sts.role.session.name": "test",
"s3.credentials.provider.sts.role.external.id": "test",

When the task starts running we got this error.

Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::XXXXXXXX:assumed-role/EKS_stg_workers/i-xxxxxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXX:role/kafka-connect-s3-sink

This is because the task is not using the role we are configuring and instead is using the one from the EKS node where the Kafka connect container is running.

Seems like the parameter for setting the sts.role.arn is not being honored. Any ideas?

Thanks :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.