Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Cross account iam roles do not seem to work #263

Open
pastibog opened this issue Oct 25, 2024 · 2 comments
Open

[BUG] Cross account iam roles do not seem to work #263

pastibog opened this issue Oct 25, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@pastibog
Copy link

pastibog commented Oct 25, 2024
edited
Loading

Describe the bug
Trying to send data from a EC2 instance to a OS cluster in a different account with IAM roles don't seem to work.

To Reproduce

  • created policy on logstash EC2 (Account A) that can assume a role (in OpenSearch account - Account b) that is "godmode" over the cluster
    Account A policy attached to logstash EC2:
{
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:role/<opensearch_role>"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Account B opensearch_role:

{
    "Statement": [
        {
            "Action": "es:*",
            "Effect": "Allow",
            "Resource": [
                "domain_arn"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Account B opensearch role trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_a>:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  • updated the upper mentioned role’s trust relationship to allow logstash EC2's role to assume it
  • tested that the EC2 instance can assume it with a aws sts assume role, works fine

Redacted logstash config:

  opensearch {
    hosts => ["https://host:443"]
    index  => "test-name-%{+YYYY.MM.dd}"
    ecs_compatibility => disabled
    auth_type => {
      type => "aws_iam"
      region => "eu-west-1"
      service_name => "es"
      profile => "research"
    }
  }
}

We do something similar with fluent-bit where that works fine.
Was wondering if this is not supported right now.
@pastibog pastibog added bug Something isn't working untriaged labels Oct 25, 2024
@pastibog
Copy link
Author

Forgot to mention that our config file looks like this:

[default]
region = <region>
credential_source = Ec2InstanceMetadata

[profile research]
source_profile = default
region = <region>
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/role_in_account_B

@dblock dblock removed the untriaged label Nov 18, 2024
@dblock
Copy link
Member

dblock commented Nov 18, 2024

[Catch All Triage - 1, 2, 3, 4, 5]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dblock @pastibog