SNS Output - Logstash in EKS - using fine grained Service account IAM roles

chandra2037 · October 9, 2019, 2:26pm

Elasticsearch Version: 7.4.0
Logstash Version: 7.4.0

Deployed in Amazon EKS as a POD using official Logstash Docker container.

Trying to publish messages to Amazon SNS using Logstash SNS output plugin.

Amazon introduced Fine-Grained IAM Roles for EKS Service Accounts to give fine-grained IAM role to Pods rather than EKS nodes.

Created IAM role with SNS:Publish access, and also service account with this new role.

Providing the service account details to the Logstash deployment manifest file. After deployment, I am seeing aws-iam-token volume which contains the AWS_WEB_IDENTITY_TOKEN_FILE, and also AWS_IAM_ROLE_ARN as environment variable.

Now coming to configuring SNS output, I am seeing following options to configure the access to publish messages to SNS

Since I have token file, I configured the session_token to point to the AWS_WEB_IDENTITY_TOKEN_FILE location. Also, I tried configuring AWS_IAM_ROLE_ARN as access_key_id.

But Logstash not able to publish messages to SNS, it is giving permission error. By default, it is assuming the EKS node role, and node role do not have access to publish messages to SNS. Configuring the session_token having no impact.

Am I missing something in the Output configuration?

Also noticed the following in the AWS documentation, not sure SDK version has any impact on this?

Thank you for any input on this issue.

yaauie · October 14, 2019, 9:32pm

It looks like the current release of the SNS Output Plugin does not have a feature to read credentials from a file; both session_token and secret_access_key expect the key provided to be a literal string (not a file path), and aws_credentials_file is merely a file-based way of providing these two as a key/value file in a specific format.

Additionally, Logstash 7.4.0 ships with AWS SDK 2.11.343, so it does not support the sts:AssumeRoleWithWebIdentity credential provider:

    aws-sdk (2.11.343)
-- Gemfile.jruby-2.5.lock.release:45@v7.4.0

Right now the primary blocker to upgrading the AWS SDK that is shipped with these plugins is the sheer number of plugins that rely on the SDK requires that all are updated in lock-step to avoid dependency conflicts. We have work in-flight that mitigates this by distributing related plugins as a single "integration" plugin from a shared code-base, and regrouping the AWS plugins is on our to-do list.

system · November 11, 2019, 9:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
S3 output using iam roles that gives access to aws security credentials Logstash	2	2766	July 6, 2017
Logstash in Kubernetes Not Using ServiceAccount with IAM Role Logstash	4	1421	November 15, 2021
Logstash s3 input with iam role Logstash	5	4910	September 21, 2017
AWS IAM Role with self hosted ELK Elasticsearch	1	637	April 22, 2020
Logstash_s3_output plugin failing with assumerole role_arn Logstash docker	1	268	November 18, 2022

SNS Output - Logstash in EKS - using fine grained Service account IAM roles

Related topics