aws: Adding sts endpoint for CW and ES plugins #2501
Conversation
plugins/out_es/es.c
Outdated
| { | ||
| FLB_CONFIG_MAP_STR, "aws_sts_endpoint", "", | ||
| 0, FLB_TRUE, offsetof(struct flb_elasticsearch, aws_sts_endpoint), | ||
| "STS endpoint" |
There was a problem hiding this comment.
Description should be longer. Like: "Custom endpoint for the AWS STS API, used with the AWS_Role_ARN option"
There was a problem hiding this comment.
Also, since STS endpoint only makes sense if aws_role_arn is also specified, add a check for that. If aws_sts_endpoint is present without role_arn, print an error message
| { | ||
| FLB_CONFIG_MAP_STR, "sts_endpoint", NULL, | ||
| 0, FLB_FALSE, 0, | ||
| "Specify a custom sts endpoint for the CloudWatch Logs API" |
There was a problem hiding this comment.
"Specify a custom endpoint for the STS API, can be used with the role_arn parameter"
There was a problem hiding this comment.
Also, since STS endpoint only makes sense if role_arn is also specified, add a check for that. If sts_endpoint is present without role_arn, print and error message
6378413 to
3636223
Compare
| } | ||
|
|
||
| if (ctx->sts_endpoint && !ctx->role_arn) { | ||
| flb_plg_error(ctx->ins, " 'aws_role_arn' is a required option to use " |
There was a problem hiding this comment.
In the CloudWatch plugin its just called role_arn
There was a problem hiding this comment.
Also see my other comment, I just realized this error isn't true or needed since we use sts_endpoint in the EKS provider
plugins/out_es/es_conf.c
Outdated
| if (ctx->aws_sts_endpoint && !tmp) { | ||
| flb_plg_error(ctx->ins, " 'aws_role_arn' is a required option to use " |
There was a problem hiding this comment.
Sorry... I just realized... since we use sts_endpoint in the EKS Provider, this error message is no longer true. Role_arn is not required.
There was a problem hiding this comment.
Does this mean that role_arn is not required even for the sts provider? I don't fully understand why the error message is not required. Can you explain.
There was a problem hiding this comment.
Basically there are two cases:
- role_arn is present, in which case we use the STS Provider which needs both the sts endpoint and the role as arguments
- role_arn is not present, in which case we use the standard chain provider. That can contain the EKS provider, so it needs the sts endpoint as an argument
Originally, I had forgotten about case #2, so I thought #1 was the only case.
In both cases, the custom sts endpoint can be used
There was a problem hiding this comment.
ooh! This makes sense! Thank you
src/aws/flb_aws_credentials_sts.c
Outdated
| @@ -568,8 +576,11 @@ struct flb_aws_provider *flb_eks_provider_create(struct flb_config *config, | |||
| return NULL; | |||
| } | |||
|
|
|||
| implementation->endpoint = flb_aws_endpoint("sts", region); | |||
| if (!implementation->endpoint) { | |||
| implementation->endpoint = removeProtocol(sts_endpoint, "https://"); | |||
There was a problem hiding this comment.
Move this line inside of the if block below; strstr behavior is undefined if any of the parameters are NULL, so this code might work for you on your compiler, but it might not work on others: https://stackoverflow.com/questions/19579574/what-is-behavior-of-null-parameters-to-strstr
src/aws/flb_aws_credentials_sts.c
Outdated
| if (implementation->endpoint) { | ||
| implementation->custom_endpoint = FLB_TRUE; | ||
| }else{ | ||
| implementation->custom_endpoint = FLB_TRUE; |
There was a problem hiding this comment.
I think you should set it to false in this case?
src/aws/flb_aws_util.c
Outdated
| char *removeProtocol (char *endpoint, char *protocol) { | ||
| if (strstr(endpoint, protocol)){ | ||
| endpoint = endpoint + strlen(protocol); | ||
| } | ||
| return endpoint; | ||
| } | ||
|
|
There was a problem hiding this comment.
strstr checks substring... we want to check prefix.
See here: https://stackoverflow.com/questions/4770985/how-to-check-if-a-string-starts-with-another-string-in-c
I like the second answer using strncmp
There was a problem hiding this comment.
Oh yes! I see how using strstr is more error prone here. I will switch to strncmp.
3636223 to
f3d34e9
Compare
src/aws/flb_aws_credentials_sts.c
Outdated
| else { | ||
| implementation->custom_endpoint = FLB_FALSE; | ||
| goto error; | ||
| } |
There was a problem hiding this comment.
Am I reading this code wrong... because it looks like if there is no custom endpoint, then we goto error and fail initialization...
src/aws/flb_aws_credentials_sts.c
Outdated
| else { | ||
| implementation->custom_endpoint = FLB_FALSE; | ||
| goto error; | ||
| } |
There was a problem hiding this comment.
Same question... looks like it will goto error if there is no custom endpoint
f3d34e9 to
513982a
Compare
|
@MeghnaPrabhu thanks for this PR. Please resolve the conflicts on src/aws/flb_aws_util.c |
Signed-off-by: Meghna Prabhu <meghnapr@amazon.com>
Signed-off-by: Meghna Prabhu <meghnapr@amazon.com>
Signed-off-by: Meghna Prabhu <meghnapr@amazon.com>
Signed-off-by: Meghna Prabhu <meghnapr@amazon.com>
Signed-off-by: Wesley Pettit <wppttt@amazon.com>
Signed-off-by: Wesley Pettit <wppttt@amazon.com>
Signed-off-by: Wesley Pettit <wppttt@amazon.com>
513982a to
677a155
Compare
Added STS endpoint support for CW and ES plugin.
Add sts_endpoint option in eks_provider and aws_sts_provider
Added support to specify endpoint and sts_endpoint with or without the protocol.
E.g. endpoint logs.us-west-2.amazonaws.com and endpoint https://logs.us-west-2.amazonaws.com will work.
Debug Logs
Valgrind Logs
valgrind_aws_credentials.log
valgrind_aws_credentials_sts.log
Signed-off-by: Meghna Prabhu meghnapr@amazon.com
Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
Documentation
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.