Allow credential_profile_name and shared_credential_file with role_arn (

#24174) (#24370) (cherry picked from commit 8aaa289)
elastic · Mar 8, 2021 · 70f9856 · 70f9856
1 parent 8100dd1
commit 70f9856
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 14 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -146,6 +146,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix CPU usage metrics on VMs with dynamic CPU config {pull}23154[23154]
 - Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete {pull}23419[23419]
 - Fix error loop with runaway CPU use when the Kafka output encounters some connection errors {pull}23484[23484]
+- Allow configuring credential_profile_name and shared_credential_file when using role_arn. {pull}24174[24174]
 - Fix issue discovering docker containers and metadata after reconnections {pull}24318[24318]
 
 

diff --git a/metricbeat/docs/aws-credentials-examples.asciidoc b/metricbeat/docs/aws-credentials-examples.asciidoc
@@ -49,3 +49,17 @@ metricbeat.modules:
     - ec2
   credential_profile_name: test-mb
 ----
+
+* Use IAM role ARN with shared AWS credentials file
++
+[source,yaml]
+----
+metricbeat.modules:
+- module: aws
+  period: 5m
+  role_arn: arn:aws:iam::123456789012:role/test-mb
+  shared_credential_file: /Users/mb/.aws/credentials_backup
+  credential_profile_name: test
+  metricsets:
+    - ec2
+----
diff --git a/x-pack/libbeat/common/aws/credentials.go b/x-pack/libbeat/common/aws/credentials.go
@@ -55,19 +55,6 @@ func GetAWSCredentials(config ConfigAWS) (awssdk.Config, error) {
 		return awsConfig, nil
 	}
 
-	// Assume IAM role if iam_role config parameter is given
-	if config.RoleArn != "" {
-		logger.Debug("Using role_arn for AWS credential")
-		awsConfig, err := external.LoadDefaultAWSConfig()
-		if err != nil {
-			return awsConfig, errors.Wrap(err, "external.LoadDefaultAWSConfig failed when using role_arn")
-		}
-		stsSvc := sts.New(awsConfig)
-		stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn)
-		awsConfig.Credentials = stsCredProvider
-		return awsConfig, nil
-	}
-
 	// If accessKeyID, secretAccessKey or sessionToken is not given, iam_role is not given, then load from default config
 	// Please see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
 	// with more details.
@@ -88,8 +75,18 @@ func GetAWSCredentials(config ConfigAWS) (awssdk.Config, error) {
 
 	awsConfig, err := external.LoadDefaultAWSConfig(options...)
 	if err != nil {
-		return awsConfig, errors.Wrap(err, "external.LoadDefaultAWSConfig failed when using shared credential profile")
+		return awsConfig, errors.Wrap(err, "external.LoadDefaultAWSConfig failed with shared credential profile given")
 	}
+
+	if config.RoleArn == "" {
+		return awsConfig, nil
+	}
+
+	// Assume IAM role if iam_role config parameter is given
+	logger.Debug("Using role_arn for AWS credential")
+	stsSvc := sts.New(awsConfig)
+	stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn)
+	awsConfig.Credentials = stsCredProvider
 	return awsConfig, nil
 }
 

diff --git a/x-pack/libbeat/docs/aws-credentials-config.asciidoc b/x-pack/libbeat/docs/aws-credentials-config.asciidoc
@@ -78,6 +78,13 @@ the home path depends on the user that manages the service, so the `shared_crede
 https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html[Create Shared Credentials File]
 for more details.
 
+* Use `role_arn`
+
+If `access_key_id` and `secret_access_key`, `credential_profile_name` and/or
+`shared_credential_file` are not given, then {beatname_lc} will check for
+`role_arn`. `role_arn` is used to specify which AWS IAM role to assume
+for generating temporary credentials.
+
 If running on Docker, the credential file needs to be provided via a volume
 mount. For example, with Metricbeat:
 
@@ -136,6 +143,83 @@ Instead, when you assume a role, it provides you with temporary security credent
 IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials.
 Please see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html[AssumeRole API documentation] for more details.
 
+Here are the steps to set up IAM role using AWS CLI for Metricbeat. Please replace
+`123456789012` with your own account ID.
+
+Step 1. Create `example-policy.json` file to include all permissions:
+[source,yaml]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "sqs:ChangeMessageVisibility",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": "sqs:DeleteMessage",
+            "Resource": "arn:aws:sqs:us-east-1:123456789012:test-fb-ks"
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "sts:AssumeRole",
+                "sqs:ListQueues",
+                "tag:GetResources",
+                "ec2:DescribeInstances",
+                "cloudwatch:GetMetricData",
+                "ec2:DescribeRegions",
+                "iam:ListAccountAliases",
+                "sts:GetCallerIdentity",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+Step 2. Create IAM policy using the `aws iam create-policy` command:
+----
+$ aws iam create-policy --policy-name example-policy --policy-document file://example-policy.json
+----
+
+Step 3. Create the JSON file `example-role-trust-policy.json` that defines the trust relationship of the IAM role
+[source,yaml]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
+        "Action": "sts:AssumeRole"
+    }
+}
+----
+
+Step 4. Create the IAM role and attach the policy:
+----
+$ aws iam create-role --role-name example-role --assume-role-policy-document file://example-role-trust-policy.json
+$ aws iam attach-role-policy --role-name example-role --policy-arn "arn:aws:iam::123456789012:policy/example-policy"
+----
+
+After these steps are done, IAM role ARN can be used for authentication in Metricbeat
+`aws` module.
+
 * Temporary security credentials
 
 Temporary security credentials has a limited lifetime and consists of an