[BUG] Cross account iam roles do not seem to work #263
Description
Describe the bug
Trying to send data from a EC2 instance to a OS cluster in a different account with IAM roles don't seem to work.
To Reproduce
- created policy on logstash EC2 (Account A) that can assume a role (in OpenSearch account - Account b) that is "godmode" over the cluster
Account A policy attached to logstash EC2:
{
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/<opensearch_role>"
]
}
],
"Version": "2012-10-17"
}
Account B opensearch_role:
{
"Statement": [
{
"Action": "es:*",
"Effect": "Allow",
"Resource": [
"domain_arn"
]
}
],
"Version": "2012-10-17"
}
Account B opensearch role trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_a>:root"
},
"Action": "sts:AssumeRole"
}
]
}
- updated the upper mentioned role’s trust relationship to allow logstash EC2's role to assume it
- tested that the EC2 instance can assume it with a
aws sts assume role, works fine
Redacted logstash config:
opensearch {
hosts => ["https://host:443"]
index => "test-name-%{+YYYY.MM.dd}"
ecs_compatibility => disabled
auth_type => {
type => "aws_iam"
region => "eu-west-1"
service_name => "es"
profile => "research"
}
}
}
We do something similar with fluent-bit where that works fine.
Was wondering if this is not supported right now.