-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
aws.cue
153 lines (137 loc) · 4.7 KB
/
aws.cue
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package metadata
import (
"strings"
)
components: [Kind=string]: [Name=string]: {
if Kind == "sink" || Kind == "source" {
if strings.HasPrefix(Name, "aws_") {
configuration: {
assume_role: {
category: "Auth"
common: false
description: "The ARN of an [IAM role](\(urls.aws_iam_role)) to assume at startup."
required: false
type: string: {
default: null
examples: ["arn:aws:iam::123456789098:role/my_role"]
}
}
endpoint: {
common: false
description: "Custom endpoint for use with AWS-compatible services. Providing a value for this option will make `region` moot."
relevant_when: "region = null"
required: false
type: string: {
default: null
examples: ["127.0.0.0:5000/path/to/service"]
}
}
region: {
description: "The [AWS region](\(urls.aws_regions)) of the target service. If `endpoint` is provided it will override this value since the endpoint includes the region."
required: true
relevant_when: "endpoint = null"
type: string: {
examples: ["us-east-1"]
}
}
}
env_vars: {
AWS_ACCESS_KEY_ID: {
description: "The AWS access key id. Used for AWS authentication when communicating with AWS services."
type: string: {
default: null
examples: ["AKIAIOSFODNN7EXAMPLE"]
}
}
AWS_CONFIG_FILE: {
description: "Specifies the location of the file that the AWS CLI uses to store configuration profiles."
type: string: {
default: "~/.aws/config"
}
}
AWS_CREDENTIAL_EXPIRATION: {
description: "Expiration time in RFC 3339 format. If unset, credentials won't expire."
type: string: {
default: null
examples: ["1996-12-19T16:39:57-08:00"]
}
}
AWS_DEFAULT_REGION: {
description: "The default [AWS region](\(urls.aws_regions))."
relevant_when: "endpoint = null"
type: string: {
default: null
examples: ["/path/to/credentials.json"]
}
}
AWS_PROFILE: {
description: "Specifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in a credentials or config file."
type: string: {
default: "default"
examples: ["my-custom-profile"]
}
}
AWS_ROLE_SESSION_NAME: {
description: "Specifies a name to associate with the role session. This value appears in CloudTrail logs for commands performed by the user of this profile."
type: string: {
default: null
examples: ["vector-session"]
}
}
AWS_SECRET_ACCESS_KEY: {
description: "The AWS secret access key. Used for AWS authentication when communicating with AWS services."
type: string: {
default: null
examples: ["wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"]
}
}
AWS_SHARED_CREDENTIALS_FILE: {
description: "Specifies the location of the file that the AWS CLI uses to store access keys."
type: string: {
default: "~/.aws/credentials"
}
}
AWS_SESSION_TOKEN: {
description: "The AWS session token. Used for AWS authentication when communicating with AWS services."
type: string: {
default: null
examples: ["/path/to/credentials.json"]
}
}
}
how_it_works: {
aws_authentication: {
title: "AWS Authentication"
body: """
Vector checks for AWS credentials in the following order:
1. Environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
2. The [`credential_process` command](\(urls.aws_credential_process)) in the AWS config file. (usually located at `~/.aws/config`)
3. The [AWS credentials file](\(urls.aws_credentials_file)). (usually located at `~/.aws/credentials`)
4. The [IAM instance profile](\(urls.iam_instance_profile)). (will only work if running on an EC2 instance with an instance profile/role)
If credentials are not found the [healtcheck](#healthchecks) will fail and an
error will be [logged][docs.monitoring#logs].
"""
sub_sections: [
{
title: "Obtaining an access key"
body: """
In general, we recommend using instance profiles/roles whenever possible. In
cases where this is not possible you can generate an AWS access key for any user
within your AWS account. AWS provides a [detailed guide](\(urls.aws_access_keys)) on
how to do this.
"""
},
{
title: "Assuming roles"
body: """
Vector can assume an AWS IAM role via the [`assume_role`](#assume_role) option. This is an
optional setting that is helpful for a variety of use cases, such as cross
account access.
"""
},
]
}
}
}
}
}