Support for MFA in Functionbeat #9371
Comments
|
Also, as an aside - we create our log groups as part of our cloud-formation templates. Do you have some documentation of running Functionbeat outside of this deployment method? Thanks |
|
@Fluro Thanks for the comment for MFA, It's certainly on my list and I will add it to the meta issue. Concerning the other point, we do not have at the moment docs for deploying function beats outside of the CLI. We are planning to let you export the cloudformation template generated by functionbeat so you could modify it and use it in your own deployment. But for now, I think the following would work:
Let me know how it goes. |
Hi thanks for this (and sorry for the long delay!) Just FYI this errors out if you have a profile with MFA in your environment, although removing the profile from your environment will allow the package to build: : |
|
Also, does the presence of functionbeat.yml also imply that a package has to be generated for each stack, with the log groups added as triggers in the AWS provider? Or is that ignored in lambda? |
|
I'm trying to deploy functionbeat with AWS cloudwatch but this is not working. I have correct permissions and my profile is working for AWS commands. |
|
We endeavor to address Functionbeat use cases via the new Serverless Forwarder project (https://github.com/elastic/elastic-serverless-forwarder)with a better integration with serverless functionality provided by major cloud providers. Enhancements to the current Functionbeat will therefore be limited. |
Hi,
Most organisations in AWS operate an account model which relies on logging into one account and then assuming roles in another account to deploy and configure resources, for example:
$ aws sts get-caller-identity
Enter MFA code for arn:aws:iam:::mfa/<MY_USERNAME>:
{
"Account": "",
"UserId": "********:<MY_USERNAME>",
"Arn": "arn:aws:sts::*************:assumed-role/admin/<MY_USRENAME>"
}
Support for MFA and assuming roles in deploying Functionbeat would make it possible for me to use with my organisations account model:
$ ./functionbeat -v -e -d "*" deploy cloudwatch-elastic
2018-12-04T12:44:04.496+1300 INFO instance/beat.go:592 Home path: [/Users/james/scratch/elastic/functionbeat-6.5.1-darwin-x86_64] Config path: [/Users/james/scratch/elastic/functionbeat-6.5.1-darwin-x86_64] Data path: [/Users/james/scratch/elastic/functionbeat-6.5.1-darwin-x86_64/data] Logs path: [/Users/james/scratch/elastic/functionbeat-6.5.1-darwin-x86_64/logs]
2018-12-04T12:44:04.496+1300 DEBUG [beat] instance/beat.go:629 Beat metadata path: /Users/james/scratch/elastic/functionbeat-6.5.1-darwin-x86_64/data/meta.json
2018-12-04T12:44:04.496+1300 INFO instance/beat.go:599 Beat UUID: 9f7004df-0e54-4ca0-b4ed-513e486528f1
token provider required for AssumeRole with MFA
Terraform (another go project) recently introduced support for profiles and MFA: hashicorp/terraform-provider-aws@b7d6e6a
Thanks
The text was updated successfully, but these errors were encountered: