-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for IAM role arn in aws config #17658
Conversation
Just noticed it's still a draft. Feel free to ignore the "approved" status if you plan to add any important resources. Otherwise, it LGTM. |
@mtojek Thanks the review! The coding part is done as it is, I put it in Draft because there are more documentation changes needed for this 😄 |
Pinging @elastic/integrations-platforms (Team:Platforms) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
## What does this PR do? This PR makes credential settings when deploying Lambdas to AWS more flexible. New options are introduced: 1. `access_key_id`, `secret_access_key` and/or `session_token` for tokens ```yaml functionbeat.provider.aws.access_key_id: '${AWS_ACCESS_KEY_ID:""}' functionbeat.provider.aws.secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}' functionbeat.provider.aws.session_token: '${AWS_SESSION_TOKEN:""}' ``` 2. `role_arn` for assuming IAM roles ```yaml functionbeat.provider.aws.role_arn: arn:aws:iam::123456789012:role/test-fnb ``` 3. `credential_profile_name` and/or `shared_credential_file` for credential files ```yaml functionbeat.provider.aws.credential_profile_name: fnb-aws functionbeat.provider.aws.shared_credential_file: /etc/functionbeat/aws_credentials ``` ## Why is it important? Credential configuration becomes more flexible and follows the same pattern as in Filebeat and Metricbeat. ## Related issues Based on #17658 Closes #12464 Co-authored-by: Brandon Morelli <[email protected]>
This PR makes credential settings when deploying Lambdas to AWS more flexible. New options are introduced: 1. `access_key_id`, `secret_access_key` and/or `session_token` for tokens ```yaml functionbeat.provider.aws.access_key_id: '${AWS_ACCESS_KEY_ID:""}' functionbeat.provider.aws.secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}' functionbeat.provider.aws.session_token: '${AWS_SESSION_TOKEN:""}' ``` 2. `role_arn` for assuming IAM roles ```yaml functionbeat.provider.aws.role_arn: arn:aws:iam::123456789012:role/test-fnb ``` 3. `credential_profile_name` and/or `shared_credential_file` for credential files ```yaml functionbeat.provider.aws.credential_profile_name: fnb-aws functionbeat.provider.aws.shared_credential_file: /etc/functionbeat/aws_credentials ``` Credential configuration becomes more flexible and follows the same pattern as in Filebeat and Metricbeat. Based on elastic#17658 Closes elastic#12464 Co-authored-by: Brandon Morelli <[email protected]> (cherry picked from commit 5e6558b)
…3386) This PR makes credential settings when deploying Lambdas to AWS more flexible. New options are introduced: 1. `access_key_id`, `secret_access_key` and/or `session_token` for tokens ```yaml functionbeat.provider.aws.access_key_id: '${AWS_ACCESS_KEY_ID:""}' functionbeat.provider.aws.secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}' functionbeat.provider.aws.session_token: '${AWS_SESSION_TOKEN:""}' ``` 2. `role_arn` for assuming IAM roles ```yaml functionbeat.provider.aws.role_arn: arn:aws:iam::123456789012:role/test-fnb ``` 3. `credential_profile_name` and/or `shared_credential_file` for credential files ```yaml functionbeat.provider.aws.credential_profile_name: fnb-aws functionbeat.provider.aws.shared_credential_file: /etc/functionbeat/aws_credentials ``` Credential configuration becomes more flexible and follows the same pattern as in Filebeat and Metricbeat. Based on #17658 Closes #12464 Co-authored-by: Brandon Morelli <[email protected]> (cherry picked from commit 5e6558b)
What does this PR do?
This PR is to add support for IAM role arn in AWS credentials config.
Why is it important?
When user doesn't want to store any credentials for Metricbeat/Filebeat locally(for example in EC2 instance), it's better to leverage AWS IAM role. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials.
Using
role_arn
also solves reload temporary credential problem in #17189.sts.NewAssumeRoleProvider
withrole_arn
input constructs and returns a credentials provider that will retrieve credentials by assuming a IAM role using STS.AssumeRoleProvider
has a a functionretrieveFn
, which generates a new set of temporary credentials using STS.Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
arn:aws:iam::428152502467:role/test-mb
modules.d/aws.yml
to userole_arn
:./metricbeat -e
and with the correct permissions in IAM role, ec2 metrics should be collected and sent to Elasticsearch.Related issues