Allow external_id
when assume_role
is used in AWS sources/sinks
#17739
Labels
provider: aws
Anything `aws` service provider related
type: feature
A value-adding code addition that introduce new functionality.
A note for the community
AWS recommends add the
external_id
whenassume_role
is used when 3rd party AWS resources are used (details in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).However,
Use Cases
It's useful when a role from another AWS account needs to be assumed in order to prevent the Confused deputy problem
Attempted Solutions
Tried to use auth.credentials_file, but as I'm also using IRSA, following the documentation present in https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html.
I tried to configure the credentials file by setting the
default
profile as the web-identity and the profileawslogs
with therole_arn
andexternal_id
. However, it didn't work because it complained about needing theregion
in the default one (the environment variable was set properly and also tried to add theregion
parameter in the credentials file, but it's not supposed to be here and failed. Also tried other alternatives, but all of them failed.Proposal
Add
external_id
inauth
parameters related to AWS resources.As example, the following code should work when AWS CloudWatch logs is used as sink (details in https://vector.dev/docs/reference/configuration/sinks/aws_cloudwatch_logs/#auth):
References
No response
Version
0.30.0
The text was updated successfully, but these errors were encountered: