Inlcude role_arn in the cloudwatch_logs input plugin

lukewaite / logstash-input-cloudwatch-logs

Input plugin for Logstash to stream events from CloudWatch Logs

Other

142 stars 74 forks source link

Inlcude role_arn in the cloudwatch_logs input plugin #81

Open kazizi-swe opened 5 years ago

kazizi-swe commented 5 years ago

I'm able to use role_arn => "${ROLE_ARN}" using your input plugin. I don't see any option in your input plugin for this, please update Readme.

Edit. I had to spend a long time finding out if its possible to be done or not using your code. It could have been saved simply by mentioning it in your readme.

maksym-iv commented 5 years ago

@koursoh could you please paste what solution you've found?

wright831 commented 5 years ago

I'll post this up as I just got it working. In the cloudwatch_logs input section you omit the access_key_id and secret_access_key parameters and instead use role_arn => "${ROLE_ARN}". But.. (key part that should have been mentioned), if you do this then you need to create a credentials file with the access_key_id and secret_access_key and place that file in the directory where Logstash is installed.. So something like /usr/share/logstash/.aws/credentials. The plugin will then reference the account you're coming from (i.e., the user tied to the credentials file) and the role_arn will reference the account your role switching into to pull logs. Oh and you'll likely need [default] at the top of your credentials file with those two parameters under it, unless you plan to reference more than one set of keys in there. Happy to see this finally working, let me know if you run into any issues.

kazizi-swe commented 5 years ago

In case you want to see the whole Logstash code:

input{
  cloudwatch_logs {
    role_arn => "${ROLE_ARN}" 
    log_group_prefix => true
    log_group => ["/aws/lambda/"]
    region => "${AWS_REGION}"
    type => "Cloudwatch"
    sincedb_path => "/usr/share/logstash/db/.sincedb*"
    start_position => 600
  }
}

The easiest / temporary solution to run it, create a docker with environment variables. Build the docker, run it, and you are good to go.

morganchristiansson commented 4 years ago

These AWS credentials parameters are managed by logstash-mixin-aws plugin and the parameters are identical across all plugins using this mixin. The documentation for this could be better in some plugins.

Can we close issue as it's resolved? A PR to update README would be welcome I imagine.

MasterBlasterLS commented 4 years ago

Hi,

Is it actually working? I have implemented the config provided, however arn role is not working and all requests are going to primary account.