mustafaakin
commented
2 years ago Currently, the support for the request signer is not automatic. We need to add following code which should be trivial to add:
Open vumdao opened 2 years ago
mustafaakin
commented
2 years ago Currently, the support for the request signer is not automatic. We need to add following code which should be trivial to add:
vumdao
commented
2 years ago @mustafaakin I just thought this tool is like aws-for-fluent-bit which I just need to specify the IAM role ARN as the IRSA (IAM role for serviceAccount).
Without this support, we must use user/password which is treated as anonymous user from opensearch and from that the access policy must allow as bellow
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"es:ESHttp*
],
"Resource": "arn:aws:es:ap-south-1:*:domain/dev-opensearch/*"
}
paulbraham-ds
commented
8 months ago Just wondering if this is on the roadmap at all? We have the same use case and would prefer not to use username/password if possible.
paulbraham-ds
commented
8 months ago Just in case anyone else comes across this. I was able to use the sigv4 proxy admission controller to inject a sidecar that was capable of handling the Amazon request signing. It works perfectly with IRSA. https://github.com/aws-observability/aws-sigv4-proxy-admission-controller
arvind-v
commented
2 months ago Thanks for the suggestion to use sigv4 proxy, but I am running into issues getting sigv4 to work with Amazon OpenSearch Serverless (AOSS). I used the underlying aws-sigv4-proxy instead of aws-sigv4-proxy-admission-controller, because aws-sigv4-proxy provides more granular configuration. An IRSA is setup and grants the pod access to write to OpenSearch Serverless.
Here is my helm config.yaml:
config:
route:
routes:
- match:
- receiver: opensearch-receiver
receivers:
- name: "opensearch-receiver"
opensearch:
index: my-kubernetes-events
hosts:
- http://localhost:9000
sidecars:
- name: aws-sigv4-proxy-sidecar
image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9000
args:
- --host
- aaa
- --port
- :9000
- --region
- bbbb
- --name
- aoss
- -v
serviceAccount:
name: events-aoss
create: true
automountServiceAccountToken: true
annotations:
"eks.amazonaws.com/role-arn": ccccProxy logs show that requests are getting to the OpenSearch host (only GET methods, which is strange):
time="2024-09-16T03:48:56Z" level=debug msg="signed request" region=us-west-2 service=aoss
...
time="2024-09-16T03:48:56Z" level=error msg="error proxying request" message= request="GET https://myaosshost.us-west-2.aoss.amazonaws.com/" status_code=404Here is a snippet of logs from the exporter pod:
{"level":"debug","sink":"opensearch-receiver","event":"Created pod: events-to-opensearch-kubernetes-event-exporter-5bdb56b6b-77g5x","time":"2024-09-16T03:48:56Z","message":"sending event to sink"}
{"level":"debug","error":"cannot retrieve information from OpenSearch","sink":"opensearch-receiver","event":"Created pod: events-to-opensearch-kubernetes-event-exporter-5bdb56b6b-77g5x","time":"2024-09-16T03:48:56Z","message":"Cannot send event"}
{"level":"debug","sink":"opensearch-receiver","event":"No matching pods found","time":"2024-09-16T03:48:56Z","message":"sending event to sink"}
{"level":"debug","error":"cannot retrieve information from OpenSearch","sink":"opensearch-receiver","event":"No matching pods found","time":"2024-09-16T03:48:56Z","message":"Cannot send event"}
{"level":"debug","sink":"opensearch-receiver","event":"Scaled up replica set events-to-opensearch-kubernetes-event-exporter-5bdb56b6b to 1","time":"2024-09-16T03:48:56Z","message":"sending event to sink"}
{"level":"debug","error":"cannot retrieve information from OpenSearch","sink":"opensearch-receiver","event":"Scaled up replica set events-to-opensearch-kubernetes-event-exporter-5bdb56b6b to 1","time":"2024-09-16T03:48:56Z","message":"Cannot send event"}
I use opensearch and use IAM role as service account for authorzing
Config
Error