[BUG] Data Prepper v2.10 & v2.10.1 sink do not use refreshed AWS credentials #5198

am90670 · 2024-11-18T13:22:13Z

Describe the bug

The OpenSearch sink in Data Prepper v2.10 & v2.10.1 does not recognise and use refreshed AWS STS credentials to sign requests upon expiration of existing credentials. Data Prepper v2.9 does.

To Reproduce
Steps to reproduce the behaviour:

Create an AWS profile in aws/credentials containing the credentials:

[default]
aws_access_key_id =  ...
aws_secret_access_key = ...
aws_session_token = ...

Create the file pipeline.yaml:

log-forwarding-pipeline:
  source:
    random:
  processor:
    - date:
        from_time_received: true
        destination: "timestamp"
  sink:                           
    - opensearch:
        aws:
          region: ...
        hosts:
          - ...
        insecure: true
        index: "data.prepper.random"

Create the file env:

AWS_CONFIG_FILE=/usr/share/data-prepper/.aws/config
AWS_REGION=...
AWS_PROFILE=default
AWS_SHARED_CREDENTIALS_FILE=/usr/share/data-prepper/.aws/credentials

Launch a container using the Data Prepper image:

podman run -d \
  --env-file $PWD/env \
  -v $PWD/pipeline.yaml:/usr/share/data-prepper/pipelines/pipeline.yaml  \
  -v $PWD/aws:/usr/share/data-prepper/.aws \
  public.ecr.aws/opensearchproject/data-prepper:2.10.1

Replace the credentials in aws/credentials with new ones shortly before they existing expire.
Upon expiration of the of the original credentials Data Prepper will begin reporting:

WARN  org.opensearch.dataprepper.plugins.sink.opensearch.BulkRetryStrategy - Bulk Operation Failed. Number of retries 5. Retrying...
org.opensearch.client.opensearch._types.OpenSearchException: Request failed: [security_exception] The security token included in the request is expired
        at org.opensearch.client.transport.aws.AwsSdk2Transport.parseResponse(AwsSdk2Transport.java:473) ~[opensearch-java-2.8.1.jar:?]
        at org.opensearch.client.transport.aws.AwsSdk2Transport.executeSync(AwsSdk2Transport.java:392) ~[opensearch-java-2.8.1.jar:?]
        at org.opensearch.client.transport.aws.AwsSdk2Transport.performRequest(AwsSdk2Transport.java:192) ~[opensearch-java-2.8.1.jar:?]
        at org.opensearch.client.opensearch.OpenSearchClient.bulk(OpenSearchClient.java:215) ~[opensearch-java-2.8.1.jar:?]
        at org.opensearch.dataprepper.plugins.sink.opensearch.bulk.OpenSearchDefaultBulkApiWrapper.bulk(OpenSearchDefaultBulkApiWrapper.java:19) ~[opensearch-2.10.1.jar:?]
        at org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchSink.lambda$doInitializeInternal$6(OpenSearchSink.java:276) ~[opensearch-2.10.1.jar:?]
        at org.opensearch.dataprepper.plugins.sink.opensearch.BulkRetryStrategy.handleRetry(BulkRetryStrategy.java:302) ~[opensearch-2.10.1.jar:?]
        at org.opensearch.dataprepper.plugins.sink.opensearch.BulkRetryStrategy.execute(BulkRetryStrategy.java:205) ~[opensearch-2.10.1.jar:?]
        at org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchSink.lambda$flushBatch$17(OpenSearchSink.java:532) ~[opensearch-2.10.1.jar:?]
        at io.micrometer.core.instrument.composite.CompositeTimer.record(CompositeTimer.java:141) ~[micrometer-core-1.13.0.jar:1.13.0]
        at org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchSink.flushBatch(OpenSearchSink.java:529) ~[opensearch-2.10.1.jar:?]
        at org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchSink.doOutput(OpenSearchSink.java:478) ~[opensearch-2.10.1.jar:?]
        at org.opensearch.dataprepper.model.sink.AbstractSink.lambda$output$0(AbstractSink.java:69) ~[data-prepper-api-2.10.1.jar:?]
        at io.micrometer.core.instrument.composite.CompositeTimer.record(CompositeTimer.java:141) ~[micrometer-core-1.13.0.jar:1.13.0]
        at org.opensearch.dataprepper.model.sink.AbstractSink.output(AbstractSink.java:69) ~[data-prepper-api-2.10.1.jar:?]
        at org.opensearch.dataprepper.pipeline.Pipeline.lambda$publishToSinks$5(Pipeline.java:360) ~[data-prepper-core-2.10.1.jar:?]
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?]
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
        at java.base/java.lang.Thread.run(Thread.java:840) [?:?]

Expected behavior
Data Prepper continues to forward to OpenSearch.

Screenshots

Environment (please complete the following information):

Container image: public.ecr.aws/opensearchproject/data-prepper
2.10, 2.10.1

Additional context

In my operational environment, AWS STS credentials are provided and refreshed by an external process. Data Prepper v2.9 recognises the refreshed credentials without the need for a restart.

The text was updated successfully, but these errors were encountered:

am90670 added bug Something isn't working untriaged labels Nov 18, 2024

github-project-automation bot added this to Data Prepper Tracking Board Nov 18, 2024

github-project-automation bot moved this to Unplanned in Data Prepper Tracking Board Nov 18, 2024

dlvenable removed the untriaged label Nov 19, 2024

dlvenable self-assigned this Nov 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Data Prepper v2.10 & v2.10.1 sink do not use refreshed AWS credentials #5198

[BUG] Data Prepper v2.10 & v2.10.1 sink do not use refreshed AWS credentials #5198

am90670 commented Nov 18, 2024

[BUG] Data Prepper v2.10 & v2.10.1 sink do not use refreshed AWS credentials #5198

[BUG] Data Prepper v2.10 & v2.10.1 sink do not use refreshed AWS credentials #5198

Comments

am90670 commented Nov 18, 2024