Hello!
I am currently using Logstash 7.8.0, running as a service and installed via package manager (yum) on an Amazon Linux OS.
I am the Logstash Keystore to store some sensitive credentials used by my pipelines. I managed to make it work by setting the keystore password as the LOGSTASH_KEYSTORE_PASS
variable in the /etc/default/logstash
file, but it had to be stored in plain text.
I would like to know if I can secure this setup better, like using an external credential store such as Amazon SSM Parameter Store. I have tried passing a subshell command in the /etc/default/logstash
file, such as:
LOGSTASH_KEYSTORE_PASS=$(aws ssm get-parameter --name /logstash/keystore-password --region us-east-1 --with-decryption --query 'Parameter.Value' --output text)
But it did not work as intended, as the logstash service failed to start with errors such as:
Jul 29 21:38:40 ip-xx-xx-xx-xx.ec2.internal logstash[18288]: [2020-07-29T21:38:40,001][ERROR][logstash.agent ] An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle `Java::OrgLogstashSecretStore::SecretStoreException::AccessException` for `PipelineAction::Create<main>`", :backtrace=>["org/logstash/execution/ConvergeResultExt.java:129:in `create'", "org/logstash/execution/ConvergeResultExt.java:57:in `add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:355:in `block in converge_state'"]}
I would like to know if it is possible to use an external credentials manager with Logstash, or somehow not having the keystore password stored in plain text on the /etc/default/logstash
file.
Thanks in advance for your attention