From 62e2e604504a4339d7af0f00b540cd7f34d8f0dc Mon Sep 17 00:00:00 2001 From: kaiyan-sheng Date: Mon, 20 Apr 2020 08:23:43 -0600 Subject: [PATCH] Add support for IAM role arn in aws config (#17658) (#17726) * add support for role arn in aws config (cherry picked from commit fa03922e8957c0b14525a501d7037d00c12cc569) --- CHANGELOG.next.asciidoc | 1 + .../docs/aws-credentials-examples.asciidoc | 10 ++++++ filebeat/docs/modules/aws.asciidoc | 12 ++++++- .../docs/aws-credentials-examples.asciidoc | 12 +++++++ x-pack/filebeat/filebeat.reference.yml | 18 +++++++++++ x-pack/filebeat/module/aws/_meta/config.yml | 18 +++++++++++ .../filebeat/module/aws/_meta/docs.asciidoc | 12 ++++++- .../module/aws/cloudtrail/config/s3.yml | 4 +++ .../module/aws/cloudtrail/manifest.yml | 1 + .../module/aws/cloudwatch/config/s3.yml | 4 +++ .../module/aws/cloudwatch/manifest.yml | 1 + x-pack/filebeat/module/aws/ec2/config/s3.yml | 4 +++ x-pack/filebeat/module/aws/ec2/manifest.yml | 1 + x-pack/filebeat/module/aws/elb/config/s3.yml | 4 +++ x-pack/filebeat/module/aws/elb/manifest.yml | 1 + .../module/aws/s3access/config/s3.yml | 4 +++ .../filebeat/module/aws/s3access/manifest.yml | 1 + .../module/aws/vpcflow/config/input.yml | 4 +++ .../filebeat/module/aws/vpcflow/manifest.yml | 1 + x-pack/filebeat/modules.d/aws.yml.disabled | 18 +++++++++++ x-pack/libbeat/common/aws/credentials.go | 31 +++++++++++++++++-- .../docs/aws-credentials-config.asciidoc | 27 +++++++++++++--- 22 files changed, 180 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 78d5543dfd9..d0a6de859ed 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -253,6 +253,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update supported versions of `redis` output. {pull}17198[17198] - Update documentation for system.process.memory fields to include clarification on Windows os's. {pull}17268[17268] - Add `urldecode` processor to for decoding URL-encoded fields. {pull}17505[17505] +- Add support for AWS IAM `role_arn` in credentials config. {pull}17658[17658] {issue}12464[12464] *Auditbeat* diff --git a/filebeat/docs/aws-credentials-examples.asciidoc b/filebeat/docs/aws-credentials-examples.asciidoc index 9921a5bc665..e306e2bb0a0 100644 --- a/filebeat/docs/aws-credentials-examples.asciidoc +++ b/filebeat/docs/aws-credentials-examples.asciidoc @@ -22,6 +22,16 @@ filebeat.inputs: session_token: '${AWS_SESSION_TOKEN:""}' ---- +* Use IAM role ARN ++ +[source,yaml] +---- +filebeat.inputs: +- type: s3 + queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue + role_arn: arn:aws:iam::123456789012:role/test-mb +---- + * Use shared AWS credentials file + [source,yaml] diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc index 1f75ff7ad85..a2ed25e518b 100644 --- a/filebeat/docs/modules/aws.asciidoc +++ b/filebeat/docs/modules/aws.asciidoc @@ -27,7 +27,8 @@ that represent actions taken by a user, role or AWS service. The `aws` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `access_key_id`, `secret_access_key` and/or -`session_token`, or use shared AWS credentials file. +`session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file. + Please see <> for more details. include::../include/gs-link.asciidoc[] @@ -51,6 +52,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb cloudwatch: enabled: false @@ -63,6 +65,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb ec2: enabled: false @@ -75,6 +78,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb elb: enabled: false @@ -87,6 +91,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb s3access: enabled: false @@ -99,6 +104,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb vpcflow: enabled: false @@ -111,6 +117,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb ---- *`var.queue_url`*:: @@ -147,6 +154,9 @@ Second part of access key. *`var.session_token`*:: Required when using temporary security credentials. +*`var.role_arn`*:: +AWS IAM Role to assume. + [float] === cloudtrail fileset diff --git a/metricbeat/docs/aws-credentials-examples.asciidoc b/metricbeat/docs/aws-credentials-examples.asciidoc index c9fccb12aa9..81c68c2cce3 100644 --- a/metricbeat/docs/aws-credentials-examples.asciidoc +++ b/metricbeat/docs/aws-credentials-examples.asciidoc @@ -26,6 +26,18 @@ metricbeat.modules: session_token: '${AWS_SESSION_TOKEN:""}' ---- +* Use IAM role ARN ++ +[source,yaml] +---- +metricbeat.modules: +- module: aws + period: 300s + metricsets: + - ec2 + role_arn: arn:aws:iam::123456789012:role/test-mb +---- + * Use shared AWS credentials file + [source,yaml] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d0722fdb2fc..63743fd229d 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -127,6 +127,9 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + cloudwatch: enabled: false @@ -158,6 +161,9 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + ec2: enabled: false @@ -189,6 +195,9 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + elb: enabled: false @@ -220,6 +229,9 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + s3access: enabled: false @@ -251,6 +263,9 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + vpcflow: enabled: false @@ -282,6 +297,9 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + #-------------------------------- Azure Module -------------------------------- - module: azure # All logs diff --git a/x-pack/filebeat/module/aws/_meta/config.yml b/x-pack/filebeat/module/aws/_meta/config.yml index 4fa34de09a0..7c9c9f0e7b0 100644 --- a/x-pack/filebeat/module/aws/_meta/config.yml +++ b/x-pack/filebeat/module/aws/_meta/config.yml @@ -30,6 +30,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + cloudwatch: enabled: false @@ -61,6 +64,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + ec2: enabled: false @@ -92,6 +98,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + elb: enabled: false @@ -123,6 +132,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + s3access: enabled: false @@ -154,6 +166,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + vpcflow: enabled: false @@ -184,3 +199,6 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc index 8be6fe9123e..434180c1bc4 100644 --- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc @@ -22,7 +22,8 @@ that represent actions taken by a user, role or AWS service. The `aws` module requires AWS credentials configuration in order to make AWS API calls. Users can either use `access_key_id`, `secret_access_key` and/or -`session_token`, or use shared AWS credentials file. +`session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file. + Please see <> for more details. include::../include/gs-link.asciidoc[] @@ -46,6 +47,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb cloudwatch: enabled: false @@ -58,6 +60,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb ec2: enabled: false @@ -70,6 +73,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb elb: enabled: false @@ -82,6 +86,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb s3access: enabled: false @@ -94,6 +99,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb vpcflow: enabled: false @@ -106,6 +112,7 @@ Example config: #var.visibility_timeout: 300s #var.api_timeout: 120s #var.endpoint: amazonaws.com + #var.role_arn: arn:aws:iam::123456789012:role/test-mb ---- *`var.queue_url`*:: @@ -142,6 +149,9 @@ Second part of access key. *`var.session_token`*:: Required when using temporary security credentials. +*`var.role_arn`*:: +AWS IAM Role to assume. + [float] === cloudtrail fileset diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index ebd0493d11a..f587cb26d85 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -33,3 +33,7 @@ secret_access_key: {{ .secret_access_key }} {{ if .session_token }} session_token: {{ .session_token }} {{ end }} + +{{ if .role_arn }} +role_arn: {{ .role_arn }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml index 7eca3432e78..16d188c1c0d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml @@ -12,6 +12,7 @@ var: - name: access_key_id - name: secret_access_key - name: session_token + - name: role_arn ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml index 1a7b821d1af..44d98fd8c1a 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml @@ -32,3 +32,7 @@ secret_access_key: {{ .secret_access_key }} {{ if .session_token }} session_token: {{ .session_token }} {{ end }} + +{{ if .role_arn }} +role_arn: {{ .role_arn }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml index 7eca3432e78..16d188c1c0d 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml @@ -12,6 +12,7 @@ var: - name: access_key_id - name: secret_access_key - name: session_token + - name: role_arn ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/ec2/config/s3.yml b/x-pack/filebeat/module/aws/ec2/config/s3.yml index 1a7b821d1af..44d98fd8c1a 100644 --- a/x-pack/filebeat/module/aws/ec2/config/s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/s3.yml @@ -32,3 +32,7 @@ secret_access_key: {{ .secret_access_key }} {{ if .session_token }} session_token: {{ .session_token }} {{ end }} + +{{ if .role_arn }} +role_arn: {{ .role_arn }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/ec2/manifest.yml b/x-pack/filebeat/module/aws/ec2/manifest.yml index 7eca3432e78..16d188c1c0d 100644 --- a/x-pack/filebeat/module/aws/ec2/manifest.yml +++ b/x-pack/filebeat/module/aws/ec2/manifest.yml @@ -12,6 +12,7 @@ var: - name: access_key_id - name: secret_access_key - name: session_token + - name: role_arn ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/elb/config/s3.yml b/x-pack/filebeat/module/aws/elb/config/s3.yml index 1a7b821d1af..44d98fd8c1a 100644 --- a/x-pack/filebeat/module/aws/elb/config/s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/s3.yml @@ -32,3 +32,7 @@ secret_access_key: {{ .secret_access_key }} {{ if .session_token }} session_token: {{ .session_token }} {{ end }} + +{{ if .role_arn }} +role_arn: {{ .role_arn }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/elb/manifest.yml b/x-pack/filebeat/module/aws/elb/manifest.yml index 0509290abeb..418becaf828 100644 --- a/x-pack/filebeat/module/aws/elb/manifest.yml +++ b/x-pack/filebeat/module/aws/elb/manifest.yml @@ -12,6 +12,7 @@ var: - name: access_key_id - name: secret_access_key - name: session_token + - name: role_arn ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/s3access/config/s3.yml b/x-pack/filebeat/module/aws/s3access/config/s3.yml index 1a7b821d1af..44d98fd8c1a 100644 --- a/x-pack/filebeat/module/aws/s3access/config/s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/s3.yml @@ -32,3 +32,7 @@ secret_access_key: {{ .secret_access_key }} {{ if .session_token }} session_token: {{ .session_token }} {{ end }} + +{{ if .role_arn }} +role_arn: {{ .role_arn }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/s3access/manifest.yml b/x-pack/filebeat/module/aws/s3access/manifest.yml index 7eca3432e78..16d188c1c0d 100644 --- a/x-pack/filebeat/module/aws/s3access/manifest.yml +++ b/x-pack/filebeat/module/aws/s3access/manifest.yml @@ -12,6 +12,7 @@ var: - name: access_key_id - name: secret_access_key - name: session_token + - name: role_arn ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml index 7de9341fea2..f79430783f5 100644 --- a/x-pack/filebeat/module/aws/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/aws/vpcflow/config/input.yml @@ -35,6 +35,10 @@ secret_access_key: {{ .secret_access_key }} session_token: {{ .session_token }} {{ end }} +{{ if .role_arn }} +role_arn: {{ .role_arn }} +{{ end }} + {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/aws/vpcflow/manifest.yml b/x-pack/filebeat/module/aws/vpcflow/manifest.yml index cfbcf6b17e9..2bcc4d6cbe5 100644 --- a/x-pack/filebeat/module/aws/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/aws/vpcflow/manifest.yml @@ -12,6 +12,7 @@ var: - name: access_key_id - name: secret_access_key - name: session_token + - name: role_arn ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/modules.d/aws.yml.disabled b/x-pack/filebeat/modules.d/aws.yml.disabled index 1f03535163d..a77624da4d6 100644 --- a/x-pack/filebeat/modules.d/aws.yml.disabled +++ b/x-pack/filebeat/modules.d/aws.yml.disabled @@ -33,6 +33,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + cloudwatch: enabled: false @@ -64,6 +67,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + ec2: enabled: false @@ -95,6 +101,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + elb: enabled: false @@ -126,6 +135,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + s3access: enabled: false @@ -157,6 +169,9 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + vpcflow: enabled: false @@ -187,3 +202,6 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb diff --git a/x-pack/libbeat/common/aws/credentials.go b/x-pack/libbeat/common/aws/credentials.go index a438cc1f032..c9a5f5de9b2 100644 --- a/x-pack/libbeat/common/aws/credentials.go +++ b/x-pack/libbeat/common/aws/credentials.go @@ -8,6 +8,11 @@ import ( awssdk "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws/defaults" "github.com/aws/aws-sdk-go-v2/aws/external" + "github.com/aws/aws-sdk-go-v2/aws/stscreds" + "github.com/aws/aws-sdk-go-v2/service/sts" + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/logp" ) // ConfigAWS is a structure defined for AWS credentials @@ -18,15 +23,20 @@ type ConfigAWS struct { ProfileName string `config:"credential_profile_name"` SharedCredentialFile string `config:"shared_credential_file"` Endpoint string `config:"endpoint"` + RoleArn string `config:"role_arn"` } // GetAWSCredentials function gets aws credentials from the config. // If access_key_id and secret_access_key are given, then use them as credentials. -// If not, then load from aws config file. If credential_profile_name is not +// If role_arn is given, assume the IAM role instead. +// If none of the above is given, then load from aws config file. If credential_profile_name is not // given, then load default profile from the aws config file. func GetAWSCredentials(config ConfigAWS) (awssdk.Config, error) { + logger := logp.NewLogger("get_aws_credentials") + // Check if accessKeyID or secretAccessKey or sessionToken is given from configuration if config.AccessKeyID != "" || config.SecretAccessKey != "" || config.SessionToken != "" { + logger.Debug("Using access_key_id, secret_access_key and/or session_token for AWS credential") awsConfig := defaults.Config() awsCredentials := awssdk.Credentials{ AccessKeyID: config.AccessKeyID, @@ -43,14 +53,29 @@ func GetAWSCredentials(config ConfigAWS) (awssdk.Config, error) { return awsConfig, nil } - // If accessKeyID, secretAccessKey or sessionToken is not given, then load from default config + // Assume IAM role if iam_role config parameter is given + if config.RoleArn != "" { + logger.Debug("Using role_arn for AWS credential") + awsConfig, err := external.LoadDefaultAWSConfig() + if err != nil { + return awsConfig, errors.Wrap(err, "external.LoadDefaultAWSConfig failed when using role_arn") + } + stsSvc := sts.New(awsConfig) + stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn) + awsConfig.Credentials = stsCredProvider + return awsConfig, nil + } + + // If accessKeyID, secretAccessKey or sessionToken is not given, iam_role is not given, then load from default config // Please see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html // with more details. // If credential_profile_name is empty, then default profile is used. + logger.Debug("Using shared credential profile for AWS credential") var options []external.Config if config.ProfileName != "" { options = append(options, external.WithSharedConfigProfile(config.ProfileName)) } + // If shared_credential_file is empty, then external.LoadDefaultAWSConfig // function will load AWS config from current user's home directory. // Linux/OSX: "$HOME/.aws/credentials" @@ -61,7 +86,7 @@ func GetAWSCredentials(config ConfigAWS) (awssdk.Config, error) { awsConfig, err := external.LoadDefaultAWSConfig(options...) if err != nil { - return awsConfig, err + return awsConfig, errors.Wrap(err, "external.LoadDefaultAWSConfig failed when using shared credential profile") } return awsConfig, nil } diff --git a/x-pack/libbeat/docs/aws-credentials-config.asciidoc b/x-pack/libbeat/docs/aws-credentials-config.asciidoc index 33deb5a0941..cee77fd80a8 100644 --- a/x-pack/libbeat/docs/aws-credentials-config.asciidoc +++ b/x-pack/libbeat/docs/aws-credentials-config.asciidoc @@ -10,18 +10,26 @@ To configure AWS credentials, either put the credentials into the {beatname_uc} * *credential_profile_name*: profile name in shared credentials file. * *shared_credential_file*: directory of the shared credentials file. * *endpoint*: URL of the entry point for an AWS web service. +* *role_arn*: AWS IAM Role to assume. [float] ==== Supported Formats -* Use `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` +* Use `access_key_id`, `secret_access_key` and/or `session_token` Users can either put the credentials into metricbeat module configuration or use environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or `AWS_SESSION_TOKEN` instead. -include::../../../{beatname_lc}/docs/aws-credentials-examples.asciidoc[] +* Use `role_arn` + +If `access_key_id` and `secret_access_key` are not given, then {beatname_lc} will +check for `role_arn`. `role_arn` is used to specify which AWS IAM role to assume +for generating temporary credentials. -`credential_profile_name` is optional. If you use different credentials for +* Use `credential_profile_name` and/or `shared_credential_file` + +If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then +{beatname_lc} will check for `credential_profile_name`. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no `credential_profile_name` given, the default profile will be used. @@ -33,6 +41,8 @@ For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. Please se https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html[Create Shared Credentials File] for more details. +include::../../../{beatname_lc}/docs/aws-credentials-examples.asciidoc[] + [float] ==== AWS Credentials Types There are two different types of AWS credentials can be used: @@ -47,9 +57,18 @@ https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-key and Secret Access Keys] for more details. +* IAM role ARN + +An IAM role is an IAM identity that you can create in your account that has +specific permissions that determine what the identity can and cannot do in AWS. +A role does not have standard long-term credentials such as a password or access keys associated with it. +Instead, when you assume a role, it provides you with temporary security credentials for your role session. +IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. +Please see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html[AssumeRole API documentation] for more details. + * Temporary security credentials -temporary security credentials has a limited lifetime and consists of an +Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code while calling `GetSessionToken`. `default_region` identifies the AWS Region