65Custom
commented
3 years ago I am still having this issue when using multiple inputs, has anyone have any input on this situation?
in my case I have two inputs one using keys and the other using a role, time has not permitted to switching to complete role based auth and I am faced with this issue again now it seems as though it is not even using the instance role and trying to use the user and keys which does not have permissions.
Sep 21 21:53:14 ip-10-10-10-10 logstash: java.lang.RuntimeException: com.amazonaws.services.kinesis.leases.exceptions.DependencyException: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::X1XXX4XXXXX3:user/elk.kinesis.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::X9XXX3XXXXX6:role/logstashrole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b893e2c7-869d-4af2-9c46-f87615b560c6) Sep 21 21:53:14 ip-10-10-10-10 logstash: Caused by: com.amazonaws.services.kinesis.leases.exceptions.DependencyException: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::X1XXX4XXXXX3:user/elk.kinesis.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::X9XXX3XXXXX:role/logstashrole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b893e2c7-869d-4af2-9c46-f87615b560c6) Sep 21 21:53:14 ip-10-10-10-10 logstash: Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::X1XXX4XXXXX3:user/elk.kinesis.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::X9XXX3XXXXX6:role/logstashrole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b893e2c7-869d-4af2-9c46-f87615b560c6)
The message below should be correct per the documentation. The plugin tries to assume a IAM role first and then Assumes the IAM Instance Role. But this is not what happened It says it is not authorized to assume the role. To resolve this I had to add sts assumerole and trust relationship to the IAM User role it was trying to use to cross the account that it was not authorized to assume.
In this case it was trying to assume the role from the first input which was going to a different account. Once this account was given assume permissions to the other account it worked but this is not the intended route or configuration
the second input should have tried to assume the role it was assigned from the role_arn but it did not try to assume this role first it was assuming the same role as the first input and trying to access kinesis but it would then fail and shutdown because it did not have permissions.
I'm using this in a mixed inputs env using some aws keys and some roles.
The inputs should use the auth method specified for each input but it seems that it tries to assume a role with a key vs the instance role on the server.
Also does or can the plugin be used with multiple accounts in this configuration? So if I want to use keys or instance role to access different accounts from the same pipeline but using multiple inputs each one using a different account