Closed eriklupander closed 3 years ago
I'd created a patch for this issue: #208 BTW, I'd supported IRSA credentails on fluent-plugin-cloudwatch-logs v0.11.0. If you use this plugin on EKS, using IRSA to obtain credentails is better to strict services permissions: https://aws.amazon.com/jp/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
To handle IRSA credentials in this plugin, use the following configuration for retrieving credentials:
region eu-west-1
<web_identity_credentials>
role_arn "#{ENV['AWS_ROLE_ARN']}"
role_session_name awesome-cloudwatch-logs-session-name
web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
</web_identity_credentials>
Thanks for the quick reply and patch. I'll take a look at IRSA for our purpose as well, thanks!
Problem
I would like to be able to configure this plug-in to use a regional AWS STS endpoint in order to use a restrictive network security policy. Currently, a call is made to the global https://sts.amazonaws.com endpoint which makes using VPC endpoint on a private subnet infeasible. (more details further down)
Steps to replicate
One can quite easily reproduce this problem by not allowing egress network traffic to whatever IP-range the plugin needs to communicate with for AWS sts or logs endpoints.
Our egress NSP:
Error from fluentd.log:
Expected Behavior or What you need to ask
I'm currently trying to create a strict Network Security Policy (NSP) for running this plug-in on AWS EKS as a daemonset. Without a NSP, everything works just fine.
I've almost nailed the NSP down by allowing egress traffic UDP/TCP to port 53 for DNS, to 10.100.0.0/16 port 443 for K8S API calls and to 192.168.0.0/16 for service calls to VPC endpoints such as
logs.{REGION}.amazonaws.com
andsts.{REGION}.amazonaws.com
.My remaining issue is that during startup, fluentd (or this plugin) tries to call
https://sts.amazonaws.com
which results in a request to (for example)54.239.29.25:443
. If I allow egress to54.0.0.0/8
it works OK, but that's too permissive and I don't trust those IPs to stay static.It boils to down that I would like to be able to configure this plug-in to use a regional sts endpoint (for example, see https://github.com/awslabs/aws-fluent-plugin-kinesis/blob/master/README.md and its
sts_endpoint_url
config property) which could make it possible to utilize a configured VPC endpoint for "sts" at a192.168.0.0/16
or other subnet IP range.One cannot AFAIK set up a VPC endpoint for a non-regional AWS service endpoint.
I've looked at https://github.com/aws/aws-sdk-ruby/ and have tried setting all AWS_REGION etc environment variables to no avail and also tried setting
aws_use_sts
to both true / false which doesn't affect the outcome.Of course, any good workarounds or other tips would be appreciated too!
Using Fluentd and CloudWatchLogs plugin versions
Boot log:
Thanks!