AWSCredentialsProviderControllerService

Description

Defines credentials for Amazon Web Services processors. Uses default credentials without configuration. Default credentials support EC2 instance profile/role, default user profile, environment variables, etc. Additional options include access key / secret key pairs, credentials file, named profile, and assume role credentials.

Tags

aws, credentials, provider

Properties

In the list below required Properties are shown with an asterisk (*). Other properties are considered optional. The table also indicates any default values, and whether a property supports the NiFi Expression Language.

Display Name

API Name

Default Value

Allowable Values

Description

Access Key ID

Access Key

Assume Role ARN

Assume Role ARN

The AWS Role ARN for cross account access. This is used in conjunction with Assume Role Session Name and other Assume Role properties.

Assume Role Session Name *

Assume Role Session Name

The AWS Role Session Name for cross account access. This is used in conjunction with Assume Role ARN.

Credentials File

Credentials File

Path to a file containing AWS access key and secret key in properties file format.

Secret Access Key

Secret Key

Assume Role Session Time

Session Time

3600

Session time for role based session (between 900 and 3600 seconds). This is used in conjunction with Assume Role ARN.

Use Anonymous Credentials

anonymous-credentials

false

  • true

  • false

If true, uses Anonymous credentials

Assume Role External ID

assume-role-external-id

External ID for cross-account access. This is used in conjunction with Assume Role ARN.

Assume Role Proxy Configuration Service

assume-role-proxy-configuration-service

Proxy configuration for cross-account access, if needed within your environment. This will configure a proxy to request for temporary access keys into another AWS account.

Assume Role SSL Context Service

assume-role-ssl-context-service

SSL Context Service used when connecting to the STS Endpoint.

Assume Role STS Endpoint Override

assume-role-sts-endpoint

The default AWS Security Token Service (STS) endpoint (“sts.amazonaws.com”) works for all accounts that are not for China (Beijing) region or GovCloud. You only need to set this property to “sts.cn-north-1.amazonaws.com.cn” when you are requesting session credentials for services in China(Beijing) region or to “sts.us-gov-west-1.amazonaws.com” for GovCloud.

Assume Role STS Region

assume-role-sts-region

us-west-2

  • Asia Pacific (Hyderabad)

  • Asia Pacific (Mumbai)

  • Europe (Milan)

  • Europe (Spain)

  • AWS GovCloud (US-East)

  • Middle East (UAE)

  • Israel (Tel Aviv)

  • US ISOF SOUTH

  • Canada (Central)

  • Mexico (Central)

  • Europe (Frankfurt)

  • US ISO WEST

  • Europe (Zurich)

  • EU ISOE West

  • US West (N. California)

  • US West (Oregon)

  • Africa (Cape Town)

  • Europe (Stockholm)

  • Europe (Paris)

  • Europe (London)

  • Europe (Ireland)

  • Asia Pacific (Osaka)

  • Asia Pacific (Seoul)

  • Asia Pacific (Tokyo)

  • Middle East (Bahrain)

  • South America (Sao Paulo)

  • Asia Pacific (Hong Kong)

  • China (Beijing)

  • Canada West (Calgary)

  • AWS GovCloud (US-West)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • US ISO East

  • Asia Pacific (Jakarta)

  • Asia Pacific (Melbourne)

  • Asia Pacific (Malaysia)

  • US East (N. Virginia)

  • US East (Ohio)

  • Asia Pacific (Thailand)

  • China (Ningxia)

  • US ISOB East (Ohio)

  • US ISOF EAST

The AWS Security Token Service (STS) region

Assume Role STS Signer Override

assume-role-sts-signer-override

Default Signature

  • Default Signature

  • Signature Version 4

  • Custom Signature

The AWS STS library uses Signature Version 4 by default. This property allows you to plug in your own custom signer implementation.

Custom Signer Class Name *

custom-signer-class-name

Fully qualified class name of the custom signer class. The signer must implement com.amazonaws.auth.Signer interface.

Custom Signer Module Location

custom-signer-module-location

Comma-separated list of paths to files and/or directories which contain the custom signer’s JAR file and its dependencies (if any).

Use Default Credentials

default-credentials

false

  • true

  • false

If true, uses the Default Credential chain, including EC2 instance profiles or roles, environment variables, default user credentials, etc.

Profile Name

profile-name

The AWS profile name for credentials from the profile configuration file.

State management

This component does not store state.

Restricted

Restrictions

Required Permission

Explanation

access environment credentials

The default configuration can read environment variables and system properties for credentials

System Resource Considerations

This component does not specify system resource considerations.

Language: English