Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/main' into cel/okta_oauth2
Browse files Browse the repository at this point in the history
  • Loading branch information
ShourieG committed Sep 6, 2023
2 parents cf095ab + 4cf4292 commit 687d646
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Mark `translate_sid` processor is GA. {issue}36279[36279] {pull}36280[36280]
- dns processor: Add support for forward lookups (`A`, `AAAA`, and `TXT`). {issue}11416[11416] {pull}36394[36394]
- Mark `syslog` processor as GA, improve docs about how processor handles syslog messages. {issue}36416[36416] {pull}36417[36417]
- Add support for AWS external IDs. {issue}36321[36321] {pull}36322[36322]

*Auditbeat*

Expand Down
3 changes: 3 additions & 0 deletions filebeat/docs/modules/aws.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ The `aws` module requires AWS credentials configuration in order to make AWS API
Users can either use `access_key_id`, `secret_access_key` and/or
`session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.

Users may use `external_id` to support assuming a role in another account, see
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].

Please see <<aws-credentials-options,AWS credentials options>> for more details.

include::../include/gs-link.asciidoc[]
Expand Down
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/aws/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ The `aws` module requires AWS credentials configuration in order to make AWS API
Users can either use `access_key_id`, `secret_access_key` and/or
`session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.

Users may use `external_id` to support assuming a role in another account, see
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].

Please see <<aws-credentials-options,AWS credentials options>> for more details.

include::../include/gs-link.asciidoc[]
Expand Down
7 changes: 6 additions & 1 deletion x-pack/libbeat/common/aws/credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ type ConfigAWS struct {
SharedCredentialFile string `config:"shared_credential_file"`
Endpoint string `config:"endpoint"`
RoleArn string `config:"role_arn"`
ExternalID string `config:"external_id"`
ProxyUrl string `config:"proxy_url"`
FIPSEnabled bool `config:"fips_enabled"`
TLS *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty" json:"ssl,omitempty"`
Expand Down Expand Up @@ -149,7 +150,11 @@ func addAssumeRoleProviderToAwsConfig(config ConfigAWS, awsConfig *awssdk.Config
logger := logp.NewLogger("addAssumeRoleProviderToAwsConfig")
logger.Debug("Switching credentials provider to AssumeRoleProvider")
stsSvc := sts.NewFromConfig(*awsConfig)
stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn)
stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn, func(aro *stscreds.AssumeRoleOptions) {
if config.ExternalID != "" {
aro.ExternalID = awssdk.String(config.ExternalID)
}
})
awsConfig.Credentials = stsCredProvider
}

Expand Down
1 change: 1 addition & 0 deletions x-pack/libbeat/docs/aws-credentials-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ To configure AWS credentials, either put the credentials into the {beatname_uc}
* *credential_profile_name*: profile name in shared credentials file.
* *shared_credential_file*: directory of the shared credentials file.
* *role_arn*: AWS IAM Role to assume.
* *external_id*: external ID to use when assuming a role in another account, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].
* *proxy_url*: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
* *fips_enabled*: Enabling this option instructs {beatname_uc} to use the FIPS endpoint of a service. All services used by {beatname_uc} are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See https://aws.amazon.com/compliance/fips/ or the appropriate service page, https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html, for a full list of FIPS endpoints and regions.
* *ssl*: This specifies SSL/TLS configuration. If the ssl section is missing, the host's CAs are used for HTTPS connections. See <<configuration-ssl>> for more information.
Expand Down

0 comments on commit 687d646

Please sign in to comment.