Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for directly specifying temporary credentials #230

Open
et304383 opened this issue May 22, 2018 · 7 comments
Open

Support for directly specifying temporary credentials #230

et304383 opened this issue May 22, 2018 · 7 comments
Labels
enhancement

Comments

@et304383
Copy link

I use IAM roles with MFA.

Thus, I see no way to support passing the 3 values in directly:

  • access key ID
  • secret access key
  • session token

I want to be able to pass these 3 values in directly. I dot not want the plugin trying to do the assume role call for me.

Any way to make this work?
@et304383 et304383 changed the title Support for temporary credentials directly specified Support for directly specifying temporary credentials May 22, 2018
@repeatedly
Copy link
Member

Does your approach need to create S3 client in each data upload?
We want AWS SDK sample code for it...

@et304383
Copy link
Author

If you're relying on the built in credential resolvers of any of the SDKs, I should be able to set the 3 environment variables and things just work. It does not.

@repeatedly
Copy link
Member

S3 plugin uses access key and secret key when these are configured.

fluent-plugin-s3/lib/fluent/plugin/out_s3.rb

Line 412 in abe0433

when @aws_key_id && @aws_sec_key

So set these parameters and set session token to environment variable should work or need some code for AWS SDK?

@et304383
Copy link
Author

I'm honestly not sure how you coded it, but there must be a way to specify the session token too, otherwise temporary credentials do not work.

@repeatedly
Copy link
Member

I didn't test but here is simple patch for it.

diff --git a/lib/fluent/plugin/out_s3.rb b/lib/fluent/plugin/out_s3.rb
index bfe2574..b72342e 100644
--- a/lib/fluent/plugin/out_s3.rb
+++ b/lib/fluent/plugin/out_s3.rb
@@ -28,6 +28,8 @@ module Fluent::Plugin
     config_param :aws_key_id, :string, default: nil, secret: true
     desc "AWS secret key."
     config_param :aws_sec_key, :string, default: nil, secret: true
+    desc "AWS session token for credentials."
+    config_param :aws_session_token, :string, default: nil, secret: true
     config_section :assume_role_credentials, multi: false do
       desc "The Amazon Resource Name (ARN) of the role to assume"
       config_param :role_arn, :string, secret: true
@@ -196,6 +198,7 @@ module Fluent::Plugin
 
     def start
       options = setup_credentials
+      options[:session_token] = @aws_session_token if @aws_session_token
       options[:region] = @s3_region if @s3_region
       options[:endpoint] = @s3_endpoint if @s3_endpoint
       options[:http_proxy] = @proxy_uri if @proxy_uri

@janerikcarlsen janerikcarlsen mentioned this issue Dec 14, 2018
Merged
@github-actions
Copy link

github-actions bot commented Jul 6, 2021

This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days

@github-actions github-actions bot added the stale label Jul 6, 2021
@kenhys kenhys added enhancement and removed stale labels Jul 12, 2021
@norve
Copy link

norve commented Aug 14, 2023

I didn't test but here is simple patch for it.

diff --git a/lib/fluent/plugin/out_s3.rb b/lib/fluent/plugin/out_s3.rb
index bfe2574..b72342e 100644
--- a/lib/fluent/plugin/out_s3.rb
+++ b/lib/fluent/plugin/out_s3.rb
@@ -28,6 +28,8 @@ module Fluent::Plugin
     config_param :aws_key_id, :string, default: nil, secret: true
     desc "AWS secret key."
     config_param :aws_sec_key, :string, default: nil, secret: true
+    desc "AWS session token for credentials."
+    config_param :aws_session_token, :string, default: nil, secret: true
     config_section :assume_role_credentials, multi: false do
       desc "The Amazon Resource Name (ARN) of the role to assume"
       config_param :role_arn, :string, secret: true
@@ -196,6 +198,7 @@ module Fluent::Plugin
 
     def start
       options = setup_credentials
+      options[:session_token] = @aws_session_token if @aws_session_token
       options[:region] = @s3_region if @s3_region
       options[:endpoint] = @s3_endpoint if @s3_endpoint
       options[:http_proxy] = @proxy_uri if @proxy_uri

@repeatedly
I tried this patch, but aws_session_token isn't sufficient as the aws_access_key_id and aws_secret_access_key are also updated periodically by an external agent. The way I supply credentials to td-agent is via:

  <shared_credentials>
    path /var/lib/td-agent/.aws/credentials
    profile_name default
  </shared_credentials>

The issue is that td-agent is only pulling the values from the token file only at the time td-agent is started. It's not refreshing the tokens from the credentials file or checking to see if it's expired from the expiration key in the credentials file. This is the general structure of a credentials file with temporary/rotating credentials:

aws_access_key_id     = ASIAXXXXXXXXXXXXXXXX
aws_secret_access_key = GYrp7H5xo3hv....
aws_session_token     = AGKa3PE93TF....
expiration            = 2023-08-14T23:11:19Z

All values need to be updated before sending objects to S3, or at least there needs to be a check to see if the token is expired before refreshing from ~/.aws/credentials file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@repeatedly @kenhys @et304383 @norve