Support for access key sessionTokens

[lstatro]

Hi'ya,

I don't see a means to manually supply a sessionToken. Obviously that's not an issue when running on a server logging out to the server's host account, as aws will supply the default creds. However it seems to be an issue should one want to push the logs to another account using creds from a sts assumeRole request.

I welcome feedback anyone may have (admittedly, I may have missed something).

Thanks!

    if (awsAccessKeyId && awsSecretKey && awsRegion) {
      config = { accessKeyId: awsAccessKeyId, secretAccessKey: awsSecretKey, region: awsRegion };
    } else if (awsRegion && !awsAccessKeyId && !awsSecretKey) {
      // Amazon SDK will automatically pull access credentials
      // from IAM Role when running on EC2 but region still
      // needs to be configured
      config = { region: awsRegion };
    }

https://github.com/lazywithclass/winston-cloudwatch/blob/master/index.js#L47

[lazywithclass]

Hi, I'm not aware of what a sessionToken is. It was ages since I used this module and now I am only maintaining it, could you please provide a code example of how you would use this feature?

Also if you could link from the AWS about sessionToken it would be great! Thanks.

[lstatro]

Hi,

Sorry for the delay, here are a few links and an example:

• Using Temporary Credentials With AWS Resources

  When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials.

• aws-sdk sts.AssumeRole documentation

  const sts = new AWS.STS();
  /* 
    this role would be in another account that 
    has a trust relationship setup with the account hosting 
    this logger specific logger
  */
  let assumedRole = await sts.assumeRole({
    RoleArn: 'myRoleArn',
    RoleSessionName: 'mySessionName'
  }).promise();

  winston.add(new WinstonCloudWatch({
    awsRegion: 'us-east-1',
    awsAccessKeyId: assumedRole.Credentials.AccessKeyId,
    awsSecretKey: assumedRole.Credentials.SecretAccessKey,
    /* 
      awsSessionToken is not a valid option for winston-cloudwatch, 
      but is necessary for api calls that use AssumeRole based creds 
    */
    awsSessionToken: assumedRole.Credentials.SessionToken,
    awsOptions: {
      logStreamName: 'us-east-1'
    },
    logGroupName: 'testing',
    logStreamName: 'first'
  }))

  winston.error('1');

[lazywithclass]

As you might imagine I've been quite busy lately, sorry for the absurd delay in dealing with this. Is this still an issue?

If so, am I right that I would just have to provide an awsSessionToken and use that info to authenticate the calls?

[emanueleragni-nova]

I'm facing the same issue, and yes you are right, it's just needed to add a awsSessionToken in the request. Check this for reference: Using temporary credentials with AWS resources

[lazywithclass]

Ok I will have a look in the following weeks, I might have some free time.

[Snapu]

+1

[dsoyez]

if you use awsOptions?: CloudWatchLogsClientConfig; to provide the credentials object. i guess it should be passed down to aws sdk. That's what i'm using and no issue with sts assumeRole.