-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
assume role via role_arn for s3 output doesn't seem to work #574
Comments
i should add that i just tested vector.dev and it works fine with assume role so aws configuration is done correctly. |
It looks like it can't find the base IRSA credentials. Enable debug logging to get more info: https://github.com/aws/aws-for-fluent-bit/blob/mainline/troubleshooting/debugging.md#enable-debug-logging You need base creds to then assume a role. I'd try to get IRSA working first to put to S3, then add the extra assume role step. |
Could you get into the debug container and execute In my opinion, the problem is that you are configuring the IRSA incorrectly. IRSA should be configured as an annotation to Kubernetes service-account, instead of being indicated as a role inside a container that cannot authenticate to AWS. I just configured AWS EKS + AWS IRSA to send logs using Fluentbit to AWS CloudWatch. |
We have debug images here: https://github.com/aws/aws-for-fluent-bit#Using-the-debug-images |
we’re running on top of aws eks, and we have hashicorp vault cluster in there. i am trying to configure fluentbit to upload vault audit logs to s3. everything works fine if i provide AWS_ACCESS_KEY_ID and SECRET via env variables but we would like to use the role_arn option utilizing IRSA.
I think i setup the role/policies/trust relationship correctly but i still getting errors.
See logs.
Configuration
IRSA policy
AWS IRSA Trust Relationship:
Fluent Bit Log Output
Fluent Bit Version Info
public.ecr.aws/aws-observability/aws-for-fluent-bit:arm64-2.31.5
Related Issues
This and this might be related ?
The text was updated successfully, but these errors were encountered: