search

aws / aws-for-fluent-bit

The source of the amazon/aws-for-fluent-bit container image
Apache License 2.0
437 stars 130 forks source link

AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable is not respected when set #811

Open thisfred opened 2 months ago

thisfred commented 2 months ago

We are trying to use FluentBit in an AWS IoT Greengrass Component to log to Cloudwatch. The way Greengrass Components authenticate to AWS services is through a Token Exchange Service (which is another Greengrass component) running on the same device. In order to have code using the AWS SDKs be able to ask this service for credentials, an environment variable named AWS_CONTAINER_CREDENTIALS_FULL_URI can be set. Unfortunately aws-for-fluent-bit (or at least the cloudwatch_logs plugin part of it) does not seem to detect the presence of this variable, and instead only looks for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, which doesn't work for the purposes of using anything running on the local device instead of in AWS.

Example invocation with environment variables passed:

env | grep -i aws
AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH=/path/to/ipc.socket
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:33925/2016-11-01/credentialprovider/
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1
AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT=/path/to/ipc.socket
AWS_CONTAINER_AUTHORIZATION_TOKEN=REDACTED
...

fluent-bit/bin/fluent-bit -i cpu -o cloudwatch_logs -p region=us-east-1 -p log_group_name=group_name -p log_stream_prefix=stream_prefix -p role_arn=[REDACTED] -vvv

Relevant log output:

[2024/04/24 22:13:28] [debug] [aws_credentials] Not initializing ECS Provider because AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set

Running commands in the same container that use the AWS SDK (like a boto request to S3) do successfully detect and use the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable, and are able to aqcuire the necessary credentials to talk to AWS services.

PettitWesley commented 1 month ago

We're working on EKS Pod identity support, which involves refactoring the HTTP Provider. We're adding support for this env var in the same feature: https://github.com/fluent/fluent-bit/pull/8826

Please take a look.

PettitWesley commented 1 month ago

AWS Distro PR diff: https://github.com/PettitWesley/fluent-bit/pull/32

PettitWesley commented 1 month ago

These images contain the feature support along with some other upcoming work we are testing:

# Base image
144718711470.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:grace-input-chunk-check
# Image with Fluent Bit ECS Init helper added: 
# https://github.com/aws-samples/amazon-ecs-firelens-examples/tree/mainline?tab=readme-ov-file#aws-for-fluent-bit-init-tag-examples
144718711470.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:init-grace-input-chunk-check