Can't assume role in filebeat cloudwatch input when IAM policy can assume multiple roles

stwang · March 7, 2023, 9:10am

We are using filebeat 7.17.5, and we are using CloudWatch input, we want to retrieve log from another AWS account b and AWS account c.
So in filebeat AWS role, we have a policy which allow to assume roles for other two accounts.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::111111111111:role/role-a-in-account-a",
                "arn:aws:iam::222222222222:role/role-b-in-account-b"
            ],
            "Effect": "Allow"
        }
    ]
}

but in filebeat, I found error:

2023-03-07T09:08:07.177Z ERROR [aws-cloudwatch] awscloudwatch/input.go:216 failed DescribeLogGroupsRequest: InvalidParameter: 1 validation error(s) found.
minimum field size of 20, AssumeRoleInput.RoleArn.

filebeat cloudwatch plugin works when single account in policy to assume, ie

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::111111111111:role/role-a-in-account-a",
            "Effect": "Allow"
        }
    ]
}

does anyone facing this issue?

Cheers,

system · April 4, 2023, 11:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.