We have the S3SinkConnector installed in our Confluent Kafka Connect Docker image and while using the AWS secret keys it’s working, we are not able to make it work using IAM roles.
Our Confluent Kafka platform is running on EKS and is deployed by using Confluent Helm charts
We create our connector with this parameters:
"s3.credentials.provider.class": "io.confluent.connect.s3.auth.AwsAssumeRoleCredentialsProvider", "s3.credentials.provider.sts.role.arn": "arn:aws:iam::XXXXXXXXX:role/kafka-connect-s3-sink", "s3.credentials.provider.sts.role.session.name": "test", "s3.credentials.provider.sts.role.external.id": "test",
When the task starts running we got this error.
Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::XXXXXXXX:assumed-role/EKS_stg_workers/i-xxxxxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXX:role/kafka-connect-s3-sink
This is because the task is not using the role we are configuring and instead is using the one from the EKS node where the Kafka connect container is running.
Seems like the parameter for setting the
sts.role.arn is not being honored. Any ideas?