AWSCredentialsProviderControllerService

Description:

Defines credentials for Amazon Web Services processors. Uses default credentials without configuration. Default credentials support EC2 instance profile/role, default user profile, environment variables, etc. Additional options include access key / secret key pairs, credentials file, named profile, and assume role credentials.

Tags:

aws, credentials, provider

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the NiFi Expression Language.

Display NameAPI NameDefault ValueAllowable ValuesDescription
Use Default Credentialsdefault-credentialsfalse
  • true
  • false
If true, uses the Default Credential chain, including EC2 instance profiles or roles, environment variables, default user credentials, etc.
Access Key IDAccess KeyNo Description Provided.
Sensitive Property: true
Supports Expression Language: true (will be evaluated using variable registry only)
Secret Access KeySecret KeyNo Description Provided.
Sensitive Property: true
Supports Expression Language: true (will be evaluated using variable registry only)
Credentials FileCredentials FilePath to a file containing AWS access key and secret key in properties file format.

This property requires exactly one file to be provided..
Profile Nameprofile-nameThe AWS profile name for credentials from the profile configuration file.
Supports Expression Language: true (will be evaluated using variable registry only)
Use Anonymous Credentialsanonymous-credentialsfalse
  • true
  • false
If true, uses Anonymous credentials
Assume Role ARNAssume Role ARNThe AWS Role ARN for cross account access. This is used in conjunction with Assume Role Session Name and other Assume Role properties.
Assume Role Session NameAssume Role Session NameThe AWS Role Session Name for cross account access. This is used in conjunction with Assume Role ARN.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role Session TimeSession Time3600Session time for role based session (between 900 and 3600 seconds). This is used in conjunction with Assume Role ARN.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role External IDassume-role-external-idExternal ID for cross-account access. This is used in conjunction with Assume Role ARN.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role SSL Context Serviceassume-role-ssl-context-serviceController Service API:
SSLContextService
Implementations: StandardRestrictedSSLContextService
StandardSSLContextService
SSL Context Service used when connecting to the STS Endpoint.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role Proxy Hostassume-role-proxy-hostProxy host for cross-account access, if needed within your environment. This will configure a proxy to request for temporary access keys into another AWS account.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role Proxy Portassume-role-proxy-portProxy port for cross-account access, if needed within your environment. This will configure a proxy to request for temporary access keys into another AWS account.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role STS Regionassume-role-sts-regionUS West (Oregon)
  • Asia Pacific (Hyderabad) AWS Region Code : ap-south-2
  • Asia Pacific (Mumbai) AWS Region Code : ap-south-1
  • Europe (Milan) AWS Region Code : eu-south-1
  • Europe (Spain) AWS Region Code : eu-south-2
  • AWS GovCloud (US-East) AWS Region Code : us-gov-east-1
  • Middle East (UAE) AWS Region Code : me-central-1
  • Canada (Central) AWS Region Code : ca-central-1
  • Europe (Frankfurt) AWS Region Code : eu-central-1
  • US ISO WEST AWS Region Code : us-iso-west-1
  • Europe (Zurich) AWS Region Code : eu-central-2
  • US West (N. California) AWS Region Code : us-west-1
  • US West (Oregon) AWS Region Code : us-west-2
  • Africa (Cape Town) AWS Region Code : af-south-1
  • Europe (Stockholm) AWS Region Code : eu-north-1
  • Europe (Paris) AWS Region Code : eu-west-3
  • Europe (London) AWS Region Code : eu-west-2
  • Europe (Ireland) AWS Region Code : eu-west-1
  • Asia Pacific (Osaka) AWS Region Code : ap-northeast-3
  • Asia Pacific (Seoul) AWS Region Code : ap-northeast-2
  • Asia Pacific (Tokyo) AWS Region Code : ap-northeast-1
  • Middle East (Bahrain) AWS Region Code : me-south-1
  • South America (Sao Paulo) AWS Region Code : sa-east-1
  • Asia Pacific (Hong Kong) AWS Region Code : ap-east-1
  • China (Beijing) AWS Region Code : cn-north-1
  • AWS GovCloud (US-West) AWS Region Code : us-gov-west-1
  • Asia Pacific (Singapore) AWS Region Code : ap-southeast-1
  • Asia Pacific (Sydney) AWS Region Code : ap-southeast-2
  • US ISO East AWS Region Code : us-iso-east-1
  • Asia Pacific (Jakarta) AWS Region Code : ap-southeast-3
  • Asia Pacific (Melbourne) AWS Region Code : ap-southeast-4
  • US East (N. Virginia) AWS Region Code : us-east-1
  • US East (Ohio) AWS Region Code : us-east-2
  • China (Ningxia) AWS Region Code : cn-northwest-1
  • US ISOB East (Ohio) AWS Region Code : us-isob-east-1
The AWS Security Token Service (STS) region

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role STS Endpoint Overrideassume-role-sts-endpointThe default AWS Security Token Service (STS) endpoint ("sts.amazonaws.com") works for all accounts that are not for China (Beijing) region or GovCloud. You only need to set this property to "sts.cn-north-1.amazonaws.com.cn" when you are requesting session credentials for services in China(Beijing) region or to "sts.us-gov-west-1.amazonaws.com" for GovCloud.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Assume Role STS Signer Overrideassume-role-sts-signer-overrideDefault Signature
  • Default Signature
  • Signature Version 4
  • Custom Signature
The AWS STS library uses Signature Version 4 by default. This property allows you to plug in your own custom signer implementation.

This Property is only considered if the [Assume Role ARN] Property has a value specified.
Custom Signer Class Namecustom-signer-class-nameFully qualified class name of the custom signer class. The signer must implement com.amazonaws.auth.Signer interface.
Supports Expression Language: true (will be evaluated using variable registry only)

This Property is only considered if the [Assume Role STS Signer Override] Property has a value of "Custom Signature".
Custom Signer Module Locationcustom-signer-module-locationComma-separated list of paths to files and/or directories which contain the custom signer's JAR file and its dependencies (if any).

This property expects a comma-separated list of resources. Each of the resources may be of any of the following types: directory, file.

Supports Expression Language: true (will be evaluated using variable registry only)

This Property is only considered if the [Assume Role STS Signer Override] Property has a value of "Custom Signature".

State management:

This component does not store state.

Restricted:

Required PermissionExplanation
access environment credentialsThe default configuration can read environment variables and system properties for credentials

System Resource Considerations:

None specified.