AWS Rust SDK doesn't support credential_process

[chburmeister]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

After upgrading from vector 0.20.1 to 0.21.0 the AWS ElasticSearch sink (nowadays AWS OpenSearch) doesn't work anymore as the documented way of passing AWS-credentials via credential_process is not implemented in new AWS Rust SDK. We are using this setup for working with temporary credentials provided by a vault-agent-sidecar. Is there any workaround until awslabs/aws-sdk-rust#261 has been solved?

Configuration

No response

Version

vector 0.21.0 (x86_64-unknown-linux-musl c1edb89 2022-04-14)

Debug Output

2022-04-19T06:50:58.253347Z  INFO sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}:provide_credentials{provider=default_chain}: aws_config::meta::credentials::chain: provider in chain did not provide credentials provider=Environment context=environment variable not set
2022-04-19T06:50:58.253463Z  INFO sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}:provide_credentials{provider=default_chain}: aws_config::meta::credentials::chain: provider in chain did not provide credentials provider=Profile context=profile `default` did not contain credential information
2022-04-19T06:50:58.253481Z  INFO sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}:provide_credentials{provider=default_chain}: aws_config::meta::credentials::chain: provider in chain did not provide credentials provider=WebIdentityToken context=$AWS_WEB_IDENTITY_TOKEN_FILE was not set
2022-04-19T06:50:58.253504Z  INFO sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}:provide_credentials{provider=default_chain}: aws_config::meta::credentials::chain: provider in chain did not provide credentials provider=EcsContainer context=ECS provider not configured
2022-04-19T06:50:58.255082Z  INFO sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}:provide_credentials{provider=default_chain}: aws_config::meta::credentials::chain: provider in chain did not provide credentials provider=Ec2InstanceMetadata context=could not communicate with imds: io error: error trying to connect: tcp connect error: Network unreachable (os error 101)
2022-04-19T06:50:58.255134Z ERROR sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}: vector::sinks::util::retries: Unexpected error type; dropping the request. error=The credential provider was not enabled: no providers in chain provided credentials
2022-04-19T06:50:58.255173Z ERROR sink{component_kind="sink" component_id=elastic-out-all component_type=elasticsearch component_name=elastic-out-all}:request{request_id=53}: vector_core::stream::driver: Service call failed. error=CredentialsNotLoaded { context: "no providers in chain provided credentials" } request_id=53

Example Data

No response

Additional Context

No response

References

awslabs/aws-sdk-rust#261

[chburmeister]

Seems as if an vector-own credential-process is on the way to be implemented: #11985

[jszwedko]

I attempted to write a custom provider for this today but ran into: smithy-lang/smithy-rs#1354

[jszwedko]

Started a PR to add it directly in the AWS SDK: smithy-lang/smithy-rs#1356

[jszwedko]

This will be included in 0.23.0 as it was integrated into the AWS SDK.