Inlcude role_arn in the cloudwatch_logs input plugin #81
Comments
|
@koursoh could you please paste what solution you've found? |
|
I'll post this up as I just got it working. In the cloudwatch_logs input section you omit the access_key_id and secret_access_key parameters and instead use role_arn => "${ROLE_ARN}". But.. (key part that should have been mentioned), if you do this then you need to create a credentials file with the access_key_id and secret_access_key and place that file in the directory where Logstash is installed.. So something like /usr/share/logstash/.aws/credentials. The plugin will then reference the account you're coming from (i.e., the user tied to the credentials file) and the role_arn will reference the account your role switching into to pull logs. Oh and you'll likely need [default] at the top of your credentials file with those two parameters under it, unless you plan to reference more than one set of keys in there. Happy to see this finally working, let me know if you run into any issues. |
|
In case you want to see the whole Logstash code: The easiest / temporary solution to run it, create a docker with environment variables. Build the docker, run it, and you are good to go. |
|
These AWS credentials parameters are managed by logstash-mixin-aws plugin and the parameters are identical across all plugins using this mixin. The documentation for this could be better in some plugins. Can we close issue as it's resolved? A PR to update README would be welcome I imagine. |
|
Hi, Is it actually working? I have implemented the config provided, however arn role is not working and all requests are going to primary account. |
I'm able to use role_arn => "${ROLE_ARN}" using your input plugin. I don't see any option in your input plugin for this, please update Readme.
Edit. I had to spend a long time finding out if its possible to be done or not using your code. It could have been saved simply by mentioning it in your readme.
The text was updated successfully, but these errors were encountered: