Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
the_etl_guy
Contributor
Contributor
‎2023-09-05 08:33 PM

Talend tS3Connection failure when using Role ARN

Hi All, we have been asked to use Role ARN instead of access/secret keys to connect to a S3 bucket on a different VPC.

We have added this Role ARN to the AWS config file on server and are able to access the bucket using CLI with --profile . It's just through the Talend job that it aint working. Target exec is set to that server.

0695b00000nSzyTAAS.png 

However, I am getting below error when trying to connect.

We are using Talend 7.2.1

Patch: Patch_20210129_TPS-4616_v1-7.2.1

Could I please get some help here? Thanks!

[FATAL]: di.s3_test_0_1.s3_test - tS3Connection_1 The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 51c11add-b455-4837-b5e6-45862665a0)

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 51c11add-b455-4837-b5e6-45862665a0)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1658)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1322)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1072)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:745)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669)

at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651)

at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515)

at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1369)

at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1338)

at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1327)

at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:488)

at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:460)

at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.newSession(STSAssumeRoleSessionCredentialsProvider.java:321)

at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.access$000(STSAssumeRoleSessionCredentialsProvider.java:37)

at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider$1.call(STSAssumeRoleSessionCredentialsProvider.java:76)

at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider$1.call(STSAssumeRoleSessionCredentialsProvider.java:73)

at com.amazonaws.auth.RefreshableTask.refreshValue(RefreshableTask.java:257)

at com.amazonaws.auth.RefreshableTask.blockingRefresh(RefreshableTask.java:213)

at com.amazonaws.auth.RefreshableTask.getValue(RefreshableTask.java:154)

at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.getCredentials(STSAssumeRoleSessionCredentialsProvider.java:299)

at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.getCredentials(STSAssumeRoleSessionCredentialsProvider.java:36)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1184)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:774)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:726)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701)

at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669)

at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651)

at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515)

at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4443)

at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4390)

at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4384)

at com.amazonaws.services.s3.AmazonS3Client.getS3AccountOwner(AmazonS3Client.java:932)

at com.amazonaws.services.s3.AmazonS3Client.getS3AccountOwner(AmazonS3Client.java:922)

at di.s3_test_0_1.s3_test.tS3Connection_1Process(s3_test.java:467)

at di.s3_test_0_1.s3_test.runJobInTOS(s3_test.java:1581)

at di.s3_test_0_1.s3_test.main(s3_test.java:1367)q

Labels (3)
Labels
359 Views
0 Likes
2 Replies
Kianbruce
Contributor
Contributor
‎2023-09-06 05:32 AM

IAM Role Permissions: Ensure the IAM role associated with the ARN has the necessary permissions for the S3 actions you are trying to perform. Trust Relationship: Check the trust relationship of the IAM role to ensure the entity (like an EC2 instance) assuming the role is trusted. Correct ARN Format: Ensure you're using the correct ARN format and you've entered it correctly in the Talend component. SDK Version: Ensure that your Talend platform is using a version of the AWS SDK that supports assuming roles via ARN. Connection Configuration: Make sure all other connection parameters (like region, endpoint, etc.) are correctly set in the tS3Connection component. TellTims

TellTims
359 Views
0 Likes
the_etl_guy
Contributor
Contributor
‎2023-09-06 10:02 PM
Author

Thanks, getting a bit different error now.....its about having word "profile" in profile name.

 

Would appreciate any clue here. Thanks!

 

[WARN ]: com.amazonaws.auth.profile.internal.BasicProfileConfigLoader - Your profile name includes a 'profile ' prefix. This is considered part of the profile name in the Java SDK, so you will need to include this prefix in your profile name when you reference this profile from your Java code.

[FATAL]: di.s3_test_0_1.s3_test - tS3Connection_1 The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: e007ec14-8367-4609-8699-5723cec7d8)

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: e007ec14-8367-4609-8699-5723cec7d8)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1658)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1322)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1072)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:745)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651)

    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1369)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1338)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1327)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:488)

    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:460)

    at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.newSession(STSAssumeRoleSessionCredentialsProvider.java:321)

    at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.access$000(STSAssumeRoleSessionCredentialsProvider.java:37)

    at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider$1.call(STSAssumeRoleSessionCredentialsProvider.java:76)

    at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider$1.call(STSAssumeRoleSessionCredentialsProvider.java:73)

    at com.amazonaws.auth.RefreshableTask.refreshValue(RefreshableTask.java:257)

    at com.amazonaws.auth.RefreshableTask.blockingRefresh(RefreshableTask.java:213)

    at com.amazonaws.auth.RefreshableTask.getValue(RefreshableTask.java:154)

    at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.getCredentials(STSAssumeRoleSessionCredentialsProvider.java:299)

    at com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider.getCredentials(STSAssumeRoleSessionCredentialsProvider.java:36)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1184)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:774)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:726)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651)

    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515)

    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4443)

    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4390)

    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4384)

    at com.amazonaws.services.s3.AmazonS3Client.getS3AccountOwner(AmazonS3Client.java:932)

    at com.amazonaws.services.s3.AmazonS3Client.getS3AccountOwner(AmazonS3Client.java:922)

    at di.s3_test_0_1.s3_test.tS3Connection_1Process(s3_test.java:466)

    at di.s3_test_0_1.s3_test.runJobInTOS(s3_test.java:1580)

    at di.s3_test_0_1.s3_test.main(s3_test.java:1366)

Exception in component tS3Connection_1 (s3_test)

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: e007ec14-8367-4609-8699-5723cec7d8)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1658)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1322)

 

359 Views
0 Likes