Open vumdao opened 2 years ago
Currently, the support for the request signer is not automatic. We need to add following code which should be trivial to add:
@mustafaakin I just thought this tool is like aws-for-fluent-bit which I just need to specify the IAM role ARN as the IRSA (IAM role for serviceAccount).
Without this support, we must use user/password which is treated as anonymous user from opensearch and from that the access policy must allow as bellow
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"es:ESHttp*
],
"Resource": "arn:aws:es:ap-south-1:*:domain/dev-opensearch/*"
}
Just wondering if this is on the roadmap at all? We have the same use case and would prefer not to use username/password if possible.
Just in case anyone else comes across this. I was able to use the sigv4 proxy admission controller to inject a sidecar that was capable of handling the Amazon request signing. It works perfectly with IRSA. https://github.com/aws-observability/aws-sigv4-proxy-admission-controller
I use opensearch and use IAM role as service account for authorzing
Config
Error