Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Input Plugin does not use Instance role when using multiple inputs in mixed env #86

Open
65Custom opened this issue Aug 25, 2020 · 1 comment
Open

Input Plugin does not use Instance role when using multiple inputs in mixed env #86

65Custom opened this issue Aug 25, 2020 · 1 comment

Comments

@65Custom
Copy link

65Custom commented Aug 25, 2020
edited
Loading

The message below should be correct per the documentation. The plugin tries to assume a IAM role first and then Assumes the IAM Instance Role.
But this is not what happened It says it is not authorized to assume the role. To resolve this I had to add sts assumerole and trust relationship to the IAM User role it was trying to use to cross the account that it was not authorized to assume.

In this case it was trying to assume the role from the first input which was going to a different account. Once this account was given assume permissions to the other account it worked but this is not the intended route or configuration

the second input should have tried to assume the role it was assigned from the role_arn but it did not try to assume this role first it was assuming the same role as the first input and trying to access kinesis but it would then fail and shutdown because it did not have permissions.

I'm using this in a mixed inputs env using some aws keys and some roles.

The inputs should use the auth method specified for each input but it seems that it tries to assume a role with a key vs the instance role on the server.

Also does or can the plugin be used with multiple accounts in this configuration? So if I want to use keys or instance role to access different accounts from the same pipeline but using multiple inputs each one using a different account

input {
  kinesis {
    kinesis_stream_name => "cwlog-nonprod-docker-application"
    codec => cloudwatch_logs
    profile => default
    application_name => "docker"
    tags => [ "application", "docker_app_ls_pl" ]
  }
  kinesis {
    kinesis_stream_name => "gcs-cwlog-nonprod-docker-application"
    codec => cloudwatch_logs
    role_arn => "arn:aws:iam::xxxxxxxxxxx:role/logstash-role"
    application_name => "docker_app"
    tags => [ "token", "application1", "docker_app_ls_pl" ]
 }
}

Aug 18 21:20:19 ip-10-14-12-119 logstash: SEVERE: Failed to get table status for docker_app_1
Aug 18 21:20:19 ip-10-14-12-119 logstash: com.amazonaws.services.kinesis.leases.exceptions.DependencyException: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::XXXXXXXXXXX:user/elk.kinesis.prod.cli.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXX:role/da-logstash-role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 23147456)

Aug 18 21:20:19 ip-10-14-12-119 logstash: at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1327)ug 18 21:20:19 ip-10-14-12-119 logstash: Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::XXXXXXXXXXXX:user/elk.kinesis.prod.cli.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/da-logstash-role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 23147456)
@65Custom
Copy link
Author

I am still having this issue when using multiple inputs, has anyone have any input on this situation?

in my case I have two inputs one using keys and the other using a role, time has not permitted to switching to complete role based auth and I am faced with this issue again now it seems as though it is not even using the instance role and trying to use the user and keys which does not have permissions.

Sep 21 21:53:14 ip-10-10-10-10 logstash: java.lang.RuntimeException: com.amazonaws.services.kinesis.leases.exceptions.DependencyException: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::X1XXX4XXXXX3:user/elk.kinesis.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::X9XXX3XXXXX6:role/logstashrole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b893e2c7-869d-4af2-9c46-f87615b560c6) Sep 21 21:53:14 ip-10-10-10-10 logstash: Caused by: com.amazonaws.services.kinesis.leases.exceptions.DependencyException: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::X1XXX4XXXXX3:user/elk.kinesis.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::X9XXX3XXXXX:role/logstashrole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b893e2c7-869d-4af2-9c46-f87615b560c6) Sep 21 21:53:14 ip-10-10-10-10 logstash: Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::X1XXX4XXXXX3:user/elk.kinesis.reader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::X9XXX3XXXXX6:role/logstashrole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b893e2c7-869d-4af2-9c46-f87615b560c6)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@65Custom