[Request] Document known issue caused by credentials error with S3+SQS input in 8.4.0

[dedemorton]

Description

The AWS credential issue introduced in 8.4.0 (elastic/beats#32888) has been fixed (elastic/integrations#4103) in AWS package version 1.23.4.
Customers running into the issue can upgrade the AWS integration package to 1.23.4 to get the temporary fix applied.

Might also want to update the troubleshooting guide.

Collaboration

• The docs team will lead producing the content

Contact Person:
@aspacca

Suggested Target Release

Release notes for 8.4.0 and 8.4.1

[aspacca]

as a workaround directly in beats users can set the endpoint/var.endpoint for aws inputs/modules to an empty string

in this case they must be sure to have a region set for aws either from env variable, credentials or instance profile, or setting default_region/var.default_region for aws inputs/modules

[kaiyan-sheng]

And I would not call this issue being fixed by 1.23.4 AWS package. This is only a workaround for certain use cases (with default domain amazonaws.com).

[dedemorton]

@kaiyan-sheng What do we recommend for users who are not using the default domain? Should they wait to upgrade?

[aspacca]

And I would not call this issue being fixed by 1.23.4 AWS package. This is only a workaround for certain use cases (with default domain amazonaws.com).

we have to align on the definition of "fixed" :)

Having an empty endpoint prevents the bug to be triggered and has the same behaviour 8.4.2 will have regardless of the content of the endpoint

Still, if anyone will set and endpoint the bug will be triggered again: so far I haven't find a scenario where the endpoint has to be set, or not setting it along with defining a region prevents the integration to work.

On retrospective, without the urgency to release a fix, we might have removed at all the endpoint setting from the involved integration: and indeed I suggest to do that on the long run, since the setting will be indeed ignored in 8.4.2.
Instead we should expose the default_region setting

What do we recommend for users who are not using the default domain? Should they wait to upgrade?

They have to leave the endpoint empty anyway, so that the bug won't be triggered.
I expect that in the majority of the case this will work OOTB.
If not they have to set an AWS region (either from env variable, credentials or instance profile) where the Agent is running.
At the moment it is not possible to set an AWS region directly from the integration if this is not set where the Agent is running. (see my point above)

[aspacca]

@dedemorton
Last important thing: fips is broken until 8.4.2, even upgrading the integration to 1.23.4

Users relying on fips should avoid to upgrade

[dedemorton]

@aspacca Do you think this (fips problem) should be documented as another "known problem" or just mentioned in the section we're adding?

[dedemorton]

@aspacca For now, I have added a note to the Beats documentation. Let me know if I need to do more. Also let me know if we need to add this to the Elastic Agent docs.

[aspacca]

@dedemorton it looks fine for me