I added a role_arn as per the documented configuration option, but it is still trying to use the default credentials.
I checked and my version of the plugin 2.0.11 should include that ability.
id => "input.kinesis.1"
region => "region"
kinesis_stream_name => "stream"
metrics => "cloudwatch"
application_name => "table"
role_arn => "arn:aws:iam::account:role/rolename"
tags => ["input_kinesis", "codec_cloudwatch_logs"]
codec => cloudwatch_logs
But I get a com.amazonaws.services.kinesis.leases.exceptions.DependencyException: com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: User: default credentials is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-central-1:account:table/custom table (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException)
Since I do get the non-standard table name that I overrode in the input config, I am confident, that the configuration applies, but it does switch the role. There are no prior failures or interesting messages in the logs and afterwards it repeats the same access denied error for other dynamodb api calls.