Metricbeat credentials config help

sadik · June 15, 2022, 1:29pm

HI Team,

In " metricbeat.yml" configuration file we are using the below values for estrablish the connection to AWS.

metricbeat.modules:
  - module: aws
    period: 300s
    metricsets:
      - lambda
    access_key_id: $${AWS_ACCESS_KEY_ID}
    secret_access_key: $${AWS_SECRET_ACCESS_KEY}
    role_arn: ${ROLE_ARN}

But here the "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY" are expired every 90 days so it's may be problem to us to remenber and reproduce the credentils to use it.

So can you please suggest any alternatives we can use in this metricbeat configuration instead of "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY".

Thanks in advance!!!

Regards,
Syed

TiagoQueiroz · June 15, 2022, 2:39pm

Hi @sadik,

I know it sounds obvious, but you could set your access/secret key not to expire, that would be one way to solve it.

However there are other things you can also try, like using role_arn authentication.

Look at our documentation regarding AWS credentials: AWS module | Metricbeat Reference [master] | Elastic it lists all the possible options, you can try them out and see which one works best for you.

Another option would be to automate the credentials generation and restart of Metricbeat every couple of months.

sadik · June 28, 2022, 12:46pm

Hi @TiagoQueiroz ,

Thanks for your reply, here i miss one step, my aws service wanna connect to K8s service, below is sample one,

processors:
  - add_cloud_metadata:

fields_under_root: true
fields:
  kubernetes.cluster: ${CLUSTER}

So, by using role_arn authentication, how we wanna connect it, please provide any sample articles so it's so helpfull to complete our task.

Thank you!!!

TiagoQueiroz · July 6, 2022, 7:52am

You can use the add_kubernetes_metadata processor for that, on the documentation link there is information on how to configure authentication.

sadik · July 12, 2022, 2:47pm

Hi @TiagoQueiroz ,

I have go through the add_kubernetes_metadata processor documentation but not find any IAM role level authentication configuration in that document which will help to complete the task . So please suggest any other alternatives.

Thank you!!!

TiagoQueiroz · July 13, 2022, 2:37pm

Yes, it doe not mention IAM role direct, but it does show how you can set the host and kube_config parameters to configure the access to the cluster.

I believe you have a way to access your kubernetes cluster, right? A way to run kubectl and inspect/modify the state of the cluster. Metricbeat can leverage the same configuration file as kubectl to connect to Kubernetes.

Both, host and kube_config, are documented on the link I provided as well as there is an example:

processors:
  - add_kubernetes_metadata:
      host: <hostname>
      # If kube_config is not set, KUBECONFIG environment variable will be checked
      # and if not present it will fall back to InCluster
      kube_config: ~/.kube/config
      default_indexers.enabled: false
      default_matchers.enabled: false
      indexers:
        - ip_port:
      matchers:
        - fields:
            lookup_fields: ["metricset.host"]
      #labels.dedot: true
      #annotations.dedot: true

This will allow Metricbeat to connect to Kubernetes and get the necessary metadata.

system · August 10, 2022, 4:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Metricbeat-credential alternatives Beats metricbeat	1	257	June 17, 2022
AWS module credentials configuration: support default credentials provider Beats	3	567	July 25, 2019
Metricbeat authentication Beats metricbeat	7	377	June 5, 2020
Metricbeat AWS module on Kubernetes error Beats beats-module , metricbeat	3	390	September 27, 2020
Metricbeat AWS Module Issues Beats beats-module , metricbeat	8	468	January 15, 2021

Metricbeat credentials config help

Related topics