You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We noticed while using the opensearch plugin that when STS credentials are created using similar logic as this plugin, a session duration isn't specified, and so despite a much longer maximum session duration on the role itself, they default to 1 hour, which overwhelms the IAM role assumption role throttling built into AWS ES when using a large number of assume role calls on a domain.
...
Problem
We noticed while using the opensearch plugin that when STS credentials are created using similar logic as this plugin, a session duration isn't specified, and so despite a much longer maximum session duration on the role itself, they default to 1 hour, which overwhelms the IAM role assumption role throttling built into AWS ES when using a large number of assume role calls on a domain.
...
Steps to replicate
fluent/fluent-plugin-opensearch#68
Same thing would be present for any config using assume_role_arn in their stanza.
Expected Behavior or What you need to ask
We would like to have the option to specify and pass on duration_seconds to the STS credential provider here:
https://github.com/atomita/fluent-plugin-aws-elasticsearch-service/blob/master/lib/fluent/plugin/out_aws-elasticsearch-service.rb#L99
...
Using Fluentd and ES plugin versions
Fluentd v1.14.4
fluent-plugin-aws-elasticsearch-service 2.4.1
The text was updated successfully, but these errors were encountered: