Scenario is I am trying to use Logstash to:
-pull AWS CloudTrail '.json.gz' logs from an S3 bucket using logstash-input-s3 plugin
-process them using the logstash-codec-cloudtrail plugin
-send them to Elasticsearch using standard output.
The installation itself is a standard RPM installation of logstash-1.5.4-1.noarch.rpm with 'logstash-codec-cloudtrail' installed afterward. Otherwise vanilla.
The credentials (ACCESS_KEY + SECRET_KEY) used exist in the same account as the s3 bucket, and have full access.
I need help with getting Logstash to correctly use/recognise the IAM credentials provided, because I can confirm that for some reason it does not, and is instead using the IAM Role of the instance.
I confirmed this by spending hours with AWS Support, who checked the back-end s3 authentication logs, confirmed the role crentials are being used. I spent hours checking the configuration with them and checking the documentation.
This may be a bug, but I'm unsure. I'm trying to make sure I haven't missed something.
With the assistance of the AWS staff, I was able to enable Ruby debug.
From the investigations we did, it is apparent that Logstash is just simply not using the provided credentials, and is instead prioritising the IAM role.
It looks for default credentials in the following order and loads the first set that it finds:
Credentials passed to the AWS.config method with the :access_key_id and :secret_access_key_id options.
Environment Variables – AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
The SDK for Ruby uses the ENVProvider class to load these credentials.
The credentials file's default profile – For more information about the credentials file, see Setting up AWS Credentials.
The SDK for Ruby uses the SharedCredentialFileProvider to load profiles.
Instance profile credentials – these credentials can be assigned to Amazon EC2 instances, and are delivered through the Amazon EC2 metadata service.
The SDK for Ruby uses EC2Provider to load these credentials.
I need to find out how to fix or override this function, I think.
Upon further testing, its definitely not using the credentials from the config file.
We tested this by giving both the IAM User (In config) and the IAM Role (For the instance) the same permissions to S3, then removing the S3 permissions for the Role.
Also, to take the variable of cross-account access out, this was tested to an S3 bucket local to the instances' account.
We added the following code to the input/s3.rb file:
I suspect that there may be something up with this file: /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-mixin-aws-1.0.1/lib/logstash/plugin_mixins/aws_config/v1.rb
Especially, as this enhancement has some discussion surrounding defaulting to IAM roles.
Thanks for submitting this as a bug, but I am hoping that there may be some
workaround that we can determine to get my Logstash instance working as
intended.
I have been at this for a few weeks now, so it's becoming quite a blocker
for some elements of my current project.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.