Support for IAM Roles (Instance Profile/IRSA) for Authentication #96
Comments
|
The legacy plugin doesn't support this either. awslabs/logstash-output-amazon_es#133 |
|
Looks like according to docs the instance profiles are supported: https://opensearch.org/docs/latest/clients/logstash/ship-to-opensearch/#opensearch-output-plugin
|
|
Apparently, the latest plugin does not have a feature to read the Web Identity Token file (used for IRSA) mounted on the pod. If we pass the token stored in Logstassh output plugin config for IAM: output {
opensearch {
hosts => "${LOGSTASH_OS_HOST}:${LOGSTASH_OS_PORT}"
index => "${LOGSTASH_OS_INDEX}"
auth_type => {
type => 'aws_iam'
session_token => "${LOGSTASH_OS_TOKEN}"
region => 'us-east-1'
}
ssl => true
document_id => "%{id}"
}
} |
|
@vpulagarwal Thanks for reporting. Will check why session token is not accepted by config |
|
Please check |
|
@VijayanB Any plans to upgrade this plugin on Ruby 3.58+ and start supporting IRSA? |
|
@vpulagarwal is it trivial? If so will you be able to contribute? |
|
I'm sorry I don't understand why upgrading the aws-sdk to 3.58.0 would take this much time. Thank you. |
Fix opensearch-project#96 by upgrading aws sdk
Fix opensearch-project#96 by upgrading aws sdk Signed-off-by: Gong Yi <topikachu@163.com>
Fix opensearch-project#96 by upgrading aws sdk Signed-off-by: Gong Yi <topikachu@163.com>
|
I am no ruby expert, but I feel to support IRSA, there should be an option to provide the path of the service account token file located at |
|
I see @topikachu closed #138, it wasn't merged. Looking for someone to contribute here. Happy to help review and merge PRs. I would want/start with integration test CI, #76 and then it will make it easier to add features. |
I realize it breaks all other aws plugins because they are all using the old aws sdk. :( |
|
I can see on my opensearch audit logs the EKS worker role being used to try to authenticate leading to a 403. Definitely this plugin is using the instance metadata to get the instance profile iam role instead of AWS_WEB_IDENTITY_TOKEN_FILE. |
|
@topikachu What should we do about this? What else needs to be upgraded at the same time? Care to help? |
|
@dblock My guess is that aws-sdk ruby gem needs to be update to v3. There's an upgrade guide for this, we need to be sure that all the requires are updated across this plugin. |
|
Is there any further progress on this? I currently have it setup using an IAM user but would prefer to use a role if possible. Has anyone tested this using a container execution role in AWS Fargate? |
|
Any update on the PR #171 has been merged and the aws-sdk v3 is meant to support this. I think it was added here: aws/aws-sdk-ruby#2075 From what I read, it seems that the library might just work and pull the credentials out of the box. It is one of the default authentication providers but we need to test it. |
|
We require this too. |
I am able to get it working by below configuration, the logstash has a default value for the region input, if you pass the correct region then it works |
|
should work in EKS just with: |
dblock
added
the
enhancement
|
+1 on this, tried a lot of the "workarounds" on both these issues and none work. I will have to revert to basic auth for now unfortunately |
|
@Thamizhvanan-R do you think you can maybe describe in detail how you made it work? |
The Opensearch project uses aws-sdk-ruby for aws authentication. Here we can see the call to the credentialproviderchain the credential_config is created with options we configure in the auth_type block in opensearch output section. If the AWS_REGION is not passed in the auth_type the default value us-east-1 is passed to the credentialproviderchain. https://github.com/aws/aws-sdk-ruby/blob/b95f3f045032ac9c79917a65beaf4111f3228f94/gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb#L143 I made it work by explicitly setting the aws_region in the output section but the proper fix is to read the AWS_REGION from env and fall back to default if no such enviroment variable is set. These Env variables are set already by the EKS cluster when we enable service account with aws iam role assumption. @joewragg I would suggest you check if these env variables are set in your case. |
In the code you pointed out does setting the region to Whichever the fix is here, do you think you could write a test for it that shows that the regions configured by the AWS_REGION environment variable produce a different value here? This makes an easy fix. |
I have set the correct ENV vars as mentioned (redacted): My config (redacted): My IAM role is mapped to all_access in opensearch for testing I am seeing 403s coming from opensearch in the logs |
One more thing we can check is if your role has assumerolepolicy and it allows your eks service account |
Yeah I definitely have the assumerolepolicy working as it's already using this role to S3 GET in the pod |
|
@joewragg Is it 100% of requests? Can you paste a (redacted) log line here? |
Pretty sure it's 100% of requests. If I use username and password it works. I see this log line over and over that's it |
|
@joewragg Turn on debug level logging, let's see the complete error? I think https://forum.opensearch.org/t/enable-debug-logging-on-logstash/12194 or passing |
Does this have something to do with these settings in AWS: Relevant logs I see repeating: |
|
@joewragg Can you |
Yeah awscurl works |
Good. Knowing that the credentials are valid clears that. The next step is to debug the code in this library. It's doing its own signing here, I'd ensure that the parameters passed in match what's in the environment (maybe add some log lines?). I'm happy to try to help if this can be reproduced easily. |
|
@dblock it's like it tries to use instance profile instead of STS... |
|
I think it was mentioned above:
I am hoping someone can implement this, I doubt I'll get to it any time soon. |
Is your feature request related to a problem? Please describe.
The current best practices for security in AWS recommends using short-lived credentials through IAM Role (STS) instead of static IAM Credentials (Access Key/Secret). That capacity is critically important when using Amazon EKS, since we can leverage IAM Roles for Service Accounts (IRSA) and improve security posture with Logstash on Kubernetes.
Describe the solution you'd like
Logstash should be able to consume an IAM Role, from an Instance Profile (EC2) or from IRSA (EKS), and use it to authenticate against the OpenSearch environment.
Describe alternatives you've considered
Use the legacy output plugin from awslabs/logstash-output-amazon_es.
Additional context
The current
aws-sdkgem used in this plugin (>= 2.11.632) already supports IRSA capability.The text was updated successfully, but these errors were encountered: