Using credentials manager to store Logstash's keystore password

Hello!

I am currently using Logstash 7.8.0, running as a service and installed via package manager (yum) on an Amazon Linux OS.

I am the Logstash Keystore to store some sensitive credentials used by my pipelines. I managed to make it work by setting the keystore password as the LOGSTASH_KEYSTORE_PASS variable in the /etc/default/logstash file, but it had to be stored in plain text.

I would like to know if I can secure this setup better, like using an external credential store such as Amazon SSM Parameter Store. I have tried passing a subshell command in the /etc/default/logstash file, such as:

LOGSTASH_KEYSTORE_PASS=$(aws ssm get-parameter --name /logstash/keystore-password --region us-east-1 --with-decryption --query 'Parameter.Value' --output text)

But it did not work as intended, as the logstash service failed to start with errors such as:

Jul 29 21:38:40 ip-xx-xx-xx-xx.ec2.internal logstash[18288]: [2020-07-29T21:38:40,001][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle `Java::OrgLogstashSecretStore::SecretStoreException::AccessException` for `PipelineAction::Create<main>`", :backtrace=>["org/logstash/execution/ConvergeResultExt.java:129:in `create'", "org/logstash/execution/ConvergeResultExt.java:57:in `add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:355:in `block in converge_state'"]}

I would like to know if it is possible to use an external credentials manager with Logstash, or somehow not having the keystore password stored in plain text on the /etc/default/logstash file.

Thanks in advance for your attention

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.