Apache Pinot

Hi, I have created an EKS cluster in account A and would like to access kinesis data streams in different accounts. I am successful in passing the temporary credentials and accessing the cross account resource. However, is there any simpler way to manage accessing cross account streams without updating the env variables everytime?

<@U0404H3NMPX> can you clarify what env variables you are seeing up? You can typically setup credentials in the table config directly (although unsafe in production envt).

Hi <@U02QL7TCLUR>,

The recommendation is to use temporary credentials that are obtained using STS which has `AWS_ACCESS_KEY_ID` , `AWS_SECRET_ACCESS_KEY`  and `AWS_SESSION_TOKEN` . So, instead of hardcoding these in the table config, I created a table by passing above values as environmental variables in the pod and making them available in Broker, Server, controller and Minion.

However, in real cases, we might be dealing with multiple AWS accounts/roles and credentials associated with them. So, overwriting these credentials every time while creating the table might not be a good idea.

Is there any way how I can access cross account streams without passing the credentials in all pinot components, but just within pod?

I just found role based access for Pinot in the source code, that helped my use case. Thank you!
<https://github.com/apache/pinot/blob/master/pinot-plugins/pinot-stream-ingestion/pinot-kinesis/src/main/java/org/apache/pinot/plugin/stream/kinesis/KinesisConfig.java|https://github.com/apache/pinot/blob/master/pinot-plugins/pinot-stream-ingestion/p[…]/java/org/apache/pinot/plugin/stream/kinesis/KinesisConfig.java>

Yep. Role based access can simplify the credentials propagation for you. Glad you figured it out :+1: