Cherry-pick #14178 to 7.5: Add AWS_SHARED_CREDENTIALS_FILE to get aws…

… config (#14228) * Add AWS_SHARED_CREDENTIALS_FILE to get aws config (#14178) (cherry picked from commit 808e492) * Update changelog
elastic · Oct 25, 2019 · abc0c67 · abc0c67
1 parent 984cbd7
commit abc0c67
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 12 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -77,6 +77,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Affecting all Beats*
 
+- Add shared_credential_file option in aws related config for specifying credential file directory. {issue}14157[14157] {pull}14178[14178]
 
 *Auditbeat*
 

diff --git a/x-pack/libbeat/common/aws/credentials.go b/x-pack/libbeat/common/aws/credentials.go
@@ -16,6 +16,7 @@ type ConfigAWS struct {
 	SecretAccessKey string `config:"secret_access_key"`
 	SessionToken    string `config:"session_token"`
 	ProfileName     string `config:"credential_profile_name"`
+	SharedCredentialFile string `config:"shared_credential_file"`
 }
 
 // GetAWSCredentials function gets aws credentials from the config.
@@ -44,10 +45,17 @@ func GetAWSCredentials(config ConfigAWS) (awssdk.Config, error) {
 	// If accessKeyID, secretAccessKey or sessionToken is not given, then load from default config
 	// Please see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
 	// with more details.
+	// If credential_profile_name is empty, then default profile is used.
+	var options []external.Config
 	if config.ProfileName != "" {
-		return external.LoadDefaultAWSConfig(
-			external.WithSharedConfigProfile(config.ProfileName),
-		)
+		options = append(options, external.WithSharedConfigProfile(config.ProfileName))
 	}
-	return external.LoadDefaultAWSConfig()
+	// If shared_credential_file is empty, then external.LoadDefaultAWSConfig
+	// function will load AWS config from current user's home directory.
+	// Linux/OSX: "$HOME/.aws/credentials"
+	// Windows:   "%USERPROFILE%\.aws\credentials"
+	if config.SharedCredentialFile != "" {
+		options = append(options, external.WithSharedConfigFiles([]string{config.SharedCredentialFile}))
+	}
+	return external.LoadDefaultAWSConfig(options...)
 }
diff --git a/x-pack/libbeat/docs/aws-credentials-config.asciidoc b/x-pack/libbeat/docs/aws-credentials-config.asciidoc
@@ -12,8 +12,13 @@ environment variable `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and/or
 
 include::../../../{beatname_lc}/docs/aws-credentials-examples.asciidoc[]
 
-`credential_profile_name` is optional. If there is no `credential_profile_name`
+`credential_profile_name` is optional. If you use different credentials for
+different tools or applications, you can use profiles to configure multiple
+access keys in the same configuration file. If there is no `credential_profile_name`
 given, the default profile will be used.
+
+`shared_credential_file` is optional to specify the directory of your shared
+credentials file. If it's empty, the default directory will be used.
 In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`.
 For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. Please see
 https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html[Create Shared Credentials File]

diff --git a/x-pack/metricbeat/module/aws/aws.go b/x-pack/metricbeat/module/aws/aws.go
@@ -91,12 +91,12 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) {
 	output, err := req.Send(context.TODO())
 	if err != nil {
 		base.Logger().Warn("failed to list account aliases, please check permission setting: ", err)
-	}
-
-	// There can be more than one aliases for each account, for now we are only
-	// collecting the first one.
-	if output.AccountAliases != nil {
-		metricSet.AccountName = output.AccountAliases[0]
+	} else {
+		// There can be more than one aliases for each account, for now we are only
+		// collecting the first one.
+		if output.AccountAliases != nil {
+			metricSet.AccountName = output.AccountAliases[0]
+		}
 	}
 
 	// Get IAM account id
@@ -105,8 +105,9 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) {
 	outputIdentity, err := reqIdentity.Send(context.TODO())
 	if err != nil {
 		base.Logger().Warn("failed to get caller identity, please check permission setting: ", err)
+	} else {
+		metricSet.AccountID = *outputIdentity.Account
 	}
-	metricSet.AccountID = *outputIdentity.Account
 
 	// Construct MetricSet with a full regions list
 	if config.Regions == nil {