Consider the following guidelines when you use the temporary security credentials:
•The IAM user or IAM role that requests for the temporary security credentials must not have access to any AWS resources.
•Only authenticated IAM users or IAM roles can request for the temporary security credentials from the AWS Security Token Service (AWS STS).
•Before you run a task, ensure that you have enough time to use the temporary security credentials for running the task. You cannot extend the time duration of the temporary security credentials for an ongoing task. For example, when you read from Amazon S3 V2 and if the temporary security credentials expire, you cannot extend the time duration of the temporary security credentials that causes the task to fail.
•After the temporary security credentials expire, AWS does not authorize the IAM users or IAM roles to access the resources using the credentials. You must request for new temporary security credentials before the previous temporary security credentials expire in a mapping.
•Do not use the root user credentials of an AWS account to use the temporary security credentials. You must use the credentials of an IAM user to use the temporary security credentials.
•Using temporary security credentials to read data from a complex file such as Avro, ORC, or Parquet file depends on the Hadoop distribution in your environment. However, to read data from a flat file using the temporary security credentials, no Hadoop distribution is required by Amazon S3 V2 Connector.
•In a mapping, if you configure two or more Amazon S3 data sources for the same Amazon S3 bucket with different IAM roles, either of the IAM roles must be able to access the other data source as well.
•In a mapping, if you configure one Amazon S3 data source with user credentials and the other Amazon S3 data source with an IAM role, consider the following rules:
- The user credentials for the first data source must also be able to assume the IAM role of the second Amazon S3 data source.
- The IAM role that you configured for the second data source must also have access to the first Amazon S3 data source.