Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fluent-plugin-s3 doesn't seem to work with AWS short-term credentials #427

Open
sanjay-curium opened this issue Aug 2, 2023 · 2 comments
Open

fluent-plugin-s3 doesn't seem to work with AWS short-term credentials #427

sanjay-curium opened this issue Aug 2, 2023 · 2 comments
Labels
waiting-for-user need feedback from user

Comments

@sanjay-curium
Copy link

sanjay-curium commented Aug 2, 2023
edited by daipom
Loading

Describe the bug

I have been trying to upload aggregated logs through fluentD to an s3 bucket. The entire set-up works if I use AWS long-term access keys but not with the short-term credentials. The error thrown looks like the following.

unexpected error error_class=RuntimeError error="can't call S3 API. Please check your credentials or s3_region configuration. error = #<Aws::S3::Errors::InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.>"

To Reproduce

  1. Build a docker image for the fluentD using the following contents of the dockerfile.
FROM fluentd:latest
USER root
RUN fluent-gem install fluent-plugin-s3
COPY fluentD.conf /fluentd/etc/fluent.conf
  1. My fluentD.conflooks like this.
<source>
  @type forward
  port 24224
  bind 0.0.0.0
</source>

<source>
    @type http
    port 9880
    bind 0.0.0.0
</source>


<match *.*>
  @type s3
  aws_key_id "#{ENV['AWS_ACCESS_KEY_ID']}" 
  aws_sec_key "#{ENV['AWS_SECRET_ACCESS_KEY']}" 
  aws_sso_key "#{ENV['AWS_SSO_KEY']}"
  s3_bucket "#{ENV['BUCKET_NAME']}" 
  s3_region "#{ENV['AWS_REGION']}" 

  <buffer tag,time>
    @type file
    path /output/test.log
    timekey 60 # 1 minute partition
    timekey_wait 10s
    timekey_use_utc true
    chunk_limit_size 256m
    append true
  </buffer>

</match>
  1. Run the container using the following command.
docker run -p 9880:9880 -p 24224:24224 -v ./logs:/output/ -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e AWS_SSO_KEY=$AWS_SESSION_TOKEN -e BUCKET_NAME=$BUCKET_NAME -e AWS_REGION=$AWS_REGION image_name:tag

Expected behavior

Logs show up on the s3 bucket if I use AWS long-term credentials but not with the short-term ones.

Your Environment

- Fluentd version: gem 'fluentd' version '1.16.0' -- `fluentd:latest` docker image.
- s3 plugin version: gem 'fluent-plugin-s3' version '1.7.2'

Your Configuration

<source>
  @type forward
  port 24224
  bind 0.0.0.0
</source>

<source>
    @type http
    port 9880
    bind 0.0.0.0
</source>


<match *.*>
  @type s3
  aws_key_id "#{ENV['AWS_ACCESS_KEY_ID']}" 
  aws_sec_key "#{ENV['AWS_SECRET_ACCESS_KEY']}" 
  aws_sso_key "#{ENV['AWS_SSO_KEY']}"
  s3_bucket "#{ENV['BUCKET_NAME']}" 
  s3_region "#{ENV['AWS_REGION']}" 

  <buffer tag,time>
    @type file
    path /output/test.log
    timekey 60 # 1 minute partition
    timekey_wait 10s
    timekey_use_utc true
    chunk_limit_size 256m
    append true
  </buffer>

</match>

Your Error Log

2023-08-02 04:28:06 +0000 [error]: #0 unexpected error error_class=RuntimeError error="can't call S3 API. Please check your credentials or s3_region configuration. error = #<Aws::S3::Errors::InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.>"

Additional context

No response
@daipom daipom moved this to Triage in Fluentd Kanban Nov 11, 2024
@Watson1978
Copy link
Contributor

Watson1978 commented Jan 22, 2025
edited
Loading

Why do you use sso short-term credentials?

Can you use instance profile credential?
https://github.com/fluent/fluent-plugin-s3/blob/master/docs/credentials.md#instance_profile_credentials-section

@Watson1978 Watson1978 added waiting-for-user need feedback from user and removed waiting-for-triage labels Jan 22, 2025
@Watson1978 Watson1978 moved this from Triage to To-Do in Fluentd Kanban Jan 22, 2025
@daipom
Copy link
Contributor

daipom commented Jan 22, 2025

SSO credential is not supported currently.
There is no aws_sso_key option in this plugin.

@daipom daipom removed this from Fluentd Kanban Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting-for-user need feedback from user
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Watson1978 @daipom @sanjay-curium