Elasticsearch Version: 7.4.0
Logstash Version: 7.4.0
Deployed in Amazon EKS as a POD using official Logstash Docker container.
Amazon introduced Fine-Grained IAM Roles for EKS Service Accounts to give fine-grained IAM role to Pods rather than EKS nodes.
Created IAM role with SNS:Publish access, and also service account with this new role.
Providing the service account details to the Logstash deployment manifest file. After deployment, I am seeing
aws-iam-token volume which contains the
AWS_WEB_IDENTITY_TOKEN_FILE, and also
AWS_IAM_ROLE_ARN as environment variable.
Now coming to configuring SNS output, I am seeing following options to configure the access to publish messages to SNS
Since I have token file, I configured the
session_token to point to the
AWS_WEB_IDENTITY_TOKEN_FILE location. Also, I tried configuring
But Logstash not able to publish messages to SNS, it is giving permission error. By default, it is assuming the EKS node role, and node role do not have access to publish messages to SNS. Configuring the
session_token having no impact.
Am I missing something in the Output configuration?
Also noticed the following in the AWS documentation, not sure SDK version has any impact on this?
Thank you for any input on this issue.