Closed breathe closed 2 years ago
Hi @breathe !
Thanks for reporting. We are in the process of replacing the deprecated rusoto
library with the AWS maintained SDK. I'd be curious if you still see this behavior once that is complete. If you do, we can dig in then. The aws_s3
sink SDK replacement should happen in time for 0.21.0 next week.
I'd be curious if you still see this behavior once that is complete
Alright that sounds promising -- will plan to upgrade to 0.21.0 after it drops and observe
I saw that 0.20.1 is out -- https://vector.dev/releases/0.20.1/#changelog -- I believe this release does not include the migration of the aws_s3
sink off of rusoto
but just wanted to double-check ...
Hi @breathe ! That's correct, but it will be in 0.21.0 which should go out this week.
I upgraded to 0.21.0 in one of our environments -- unfortunately it seems that 0.21.0 is not able to authenticate for usage of the aws_s3 sink at all ...
I had checked over the changelog and I don't see anything that needs adjusting on our side. I've a copy of our configuration above (still the same). We already used the AWS_CONFIG_FILE env var to supply a custom path to an aws credentials file -- and that credentials file uses the credentials_process
sdk configuration parameter (which gets short-lived credentials via an external process).
We also had the region parameter for the target bucket already defined in the s3 sink -- but I tried defining that parameter in the aws config file as well with no change in behavior ...
Here are some example error logs if I disable the health-check in order to try to get more info ...
Apr 19 14:50:13 somehost vector[27408]: 2022-04-19T14:50:13.985185Z ERROR sink{component_kind="sink" component_id=log-sink-s3 component_type=aws_s3 component_name=log-sink-s3}:request{request_id=208}: vector::sinks::util::retries: Non-retriable error; dropping the request. error=Error { code: "AccessDenied", message: "Access Denied", request_id: "SWTXZ1G45FAPX245", s3_extended_request_id: "u38tMil6E44zlnHeAzwWTC563SjLYx/feAajo5CITzkAPseDauVoh9pg7pO+4pwLl2Rnd55u4k8=" }
Apr 19 14:50:13 somehost vector[27408]: 2022-04-19T14:50:13.985302Z ERROR sink{component_kind="sink" component_id=log-sink-s3 component_type=aws_s3 component_name=log-sink-s3}:request{request_id=208}: vector_core::stream::driver: Service call failed. error=ServiceError { err: PutObjectError { kind: Unhandled(Error { code: Some("AccessDenied"), message: Some("Access Denied"), request_id: Some("SWTXZ1G45FAPX245"), extras: {"s3_extended_request_id": "u38tMil6E44zlnHeAzwWTC563SjLYx/feAajo5CITzkAPseDauVoh9pg7pO+4pwLl2Rnd55u4k8="} }), meta: Error { code: Some("AccessDenied"), message: Some("Access Denied"), request_id: Some("SWTXZ1G45FAPX245"), extras: {"s3_extended_request_id": "u38tMil6E44zlnHeAzwWTC563SjLYx/feAajo5CITzkAPseDauVoh9pg7pO+4pwLl2Rnd55u4k8="} } }, raw: Response { inner: Response { status: 403, version: HTTP/1.1, headers: {"x-amz-request-id": "SWTXZ1G45FAPX245", "x-amz-id-2": "u38tMil6E44zlnHeAzwWTC563SjLYx/feAajo5CITzkAPseDauVoh9pg7pO+4pwLl2Rnd55u4k8=", "content-type": "application/xml", "transfer-encoding": "chunked", "date": "Tue, 19 Apr 2022 14:50:13 GMT", "server": "AmazonS3", "connection": "close"}, body: SdkBody { inner: Once(Some(b"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>SWTXZ1G45FAPX245</RequestId><HostId>u38tMil6E44zlnHeAzwWTC563SjLYx/feAajo5CITzkAPseDauVoh9pg7pO+4pwLl2Rnd55u4k8=</HostId></Error>")), retryable: true } }, properties: SharedPropertyBag(Mutex { data: PropertyBag, poisoned: false, .. }) } } request_id=208
Is credentials_process
not supported via the official rust aws-sdk?
Is credentials_process not supported via the official rust aws-sdk?
Ahh .. bummer -- thanks for the link. I'm upvoting that issue!
Apologies @breathe . We missed that credentials_process
also isn't supported by the new AWS SDK. We'll be adding a note to the docs.
We do have an upcoming feature in Vector to load secrets from an external process that could be used as a workaround: #11985
Hi @breathe . Just a note that credentials_process
support added to the new AWS SDK. It'll be available in the next Vector release: 0.23.0.
A note for the community
Problem
I have been seeing occasional spurious authentication failures from vector across our fleet. The vector process suddenly starts producing output indicating failures to authenticate to s3:
This seems to occasionally affect a single host. Its been observed to self-correct after a few minutes -- but most recently the error persisted for several hours on a host without self-correcting -- so I restarted the vector process manually and that resolved the issue ...
Vector is configured to pull credentials for a role with write privileges to the relevant bucket using an aws
credential_process
-- and I suspect that the vector agent isn't always refreshing credentials prior to them expiring.Configuration
Version
Debug Output
Example Data
No response
Additional Context
Vector is being run by systemd
And we are using the prebuilt rpm
References
No response