Hi Team,
We are facing the filebeat aws s3 module issue in version 7.10 ,7.10.1, 7.11.0, 7.11.1, 7.11.2, 7.12.0
We have deployed the filebeat in k8s environment. And the ELK with ECK operator.
While we tried to use the filebeat aws s3 module to get the data SQS queue we are getting the below error.
ERROR:
2021-03-30T10:35:42.401Z ERROR [input.s3] s3/collector.go:107 SQS ReceiveMessageRequest failed: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: XXXXXX {"queue_url": "XXXXXXX", "region": "XXXXX"}
Note: We are not using the aws credentials we are using the IAM role to access the SQS and S3.
As we have verified we are all clear in IAM permission and we dont find any issue with IAM here.
Kindly provide the guides to overcome this issue ASAP
Thanks for creating the issue here! Using role_arn still requires access key id and secret access key to be under the shared credential file [default] section. Here is the link for how to create the shared credentials file: Create a shared credentials file - Amazon Simple Email Service. This file by default is ~/.aws/credentials for Linux and macOS. Do you have this file with the correct credentials under [default] section?
What you are suggesting (specify access key or credentials file) is valid for beats deployment outside AWS environment but that is against best practices for deployment within AWS (EC2 or ECS task).
AWS suggests to configure IAM permission in the following order of preference:
Use IAM Task Role for ECS task
Use IAM role attached to EC2 (technically it is a role associated to IAM instance profile that is attached to EC2)
Use credentials file
Use environment variables
With option 2 above it is really convenient and more secure because there's no access key to manage or to rotate, only need to attach a role to an instance.
AWS CLI and SDK supports all those options.
For Filebeat configuration I think Elastic should implement in such a way if none are configured (all blank) then it will fallback to attached Task Role or IAM instance role or introducing a boolean configuration for attached IAM Role.
Thanks @nugroho-expereo for your suggestion!! We did add the var.role_arn config option in the aws module but right now it only works when credentials are set in the shared credential file under the default profile. Will investigate more here! Thank you again!!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.