Unable to pass session token in AWS Credentials while pushing logs to Cloudwatch

fluent-plugins-nursery / fluent-plugin-cloudwatch-logs

CloudWatch Logs Plugin for Fluentd

MIT License

201 stars 141 forks source link

Unable to pass session token in AWS Credentials while pushing logs to Cloudwatch #163

Closed openshift-poc closed 3 years ago

openshift-poc commented 4 years ago

Problem

@type cloudwatch_logs
Set the AWS_KEY_ID = #####
Set the AWS_SEC_KEY = #####

While running the Fluentd container with this plugin the output throws below error. CloudWatchLogs::Errors::UnrecognizedClientException: The security token included in the request is invalid. ... Tried to set AWS_SESSION_TOKEN as export AWS_SESSION_TOKEN but does not work. Also tried to set AWS_SESSION _TOKEN within the conf , getting same error.

Steps to replicate

Provide example config and message Example config is as per the problem. Contains AWS KEY ID and SEC KEY. Unable to pass token as parameter .

CloudWatchLogs::Errors::UnrecognizedClientException: The security token included in the request is invalid.

Expected Behavior or What you need to ask

...

Using Fluentd and CloudWatchLogs plugin versions

1.7.1 Alpine linux fluentd and fluent-plugin-cloudwatch-logs 0.7.4.

cosmo0920 commented 4 years ago

<match a.great.your.tag.***>
  @type cloudwatch_logs
  region ap-northeast-1
  aws_key_id AKIASUPER1AWSKEY
  aws_sec_key FcawsSecret1234Key
  # and some configuration
</match>

Can handle AWS credentials.

If you use environment variables, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION should be used to set up AWS credentials. Am I missing something?

openshift-poc commented 4 years ago

The issue is I am unable to pass the session token parameter . This parameter is required when using temporary credentials which expire after some time. This link from AWS provides more details on using temporary credentials https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

cosmo0920 commented 4 years ago

https://github.com/aws/aws-sdk-ruby/blob/053b60d3b3d6434c2ea0a62d467f1461a865150c/gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb#L82-L84

If you want to use session token via environment variables, you should set up:

AWS_ACCESS_KEY_ID (for access key)
AWS_SECRET_ACCESS_KEY (for access secret)
AWS_SESSION_TOKEN (for session token)

cosmo0920 commented 3 years ago

The issue is I am unable to pass the session token parameter . This parameter is required when using temporary credentials which expire after some time. This link from AWS provides more details on using temporary credentials https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

This plugin supports AWS STS credentials:

use_aws_sts true
aws_sts_role_arn arn:aws:iam::123456789012:role/policy-name
aws_sts_session_name awesome-session-name

You shouldn't prepare temporary credentials by hand. Instead, prepare the above configurations for STS authentication and roles for assume role credentials by ~/.aws/config. ref: https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenRuby.html

kenhys commented 3 years ago

@openshift-poc can we close this issue?

openshift-poc commented 3 years ago

Yes please.

Thank you very much.

On Thu., 18 Feb. 2021, 6:55 pm Kentaro Hayashi, notifications@github.com wrote:

@openshift-poc https://github.com/openshift-poc can we close this issue?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/fluent-plugins-nursery/fluent-plugin-cloudwatch-logs/issues/163#issuecomment-781131348, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFQK4QUKW3BDDWKWGE3H7RDS7TBXRANCNFSM4IZHH4RQ .

vedxk commented 1 year ago

Hi, @openshift-poc was this issue resolved for you?