Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable is not respected when set #811

Open
thisfred opened this issue Apr 25, 2024 · 6 comments

Comments

@thisfred
Copy link

We are trying to use FluentBit in an AWS IoT Greengrass Component to log to Cloudwatch. The way Greengrass Components authenticate to AWS services is through a Token Exchange Service (which is another Greengrass component) running on the same device. In order to have code using the AWS SDKs be able to ask this service for credentials, an environment variable named AWS_CONTAINER_CREDENTIALS_FULL_URI can be set. Unfortunately aws-for-fluent-bit (or at least the cloudwatch_logs plugin part of it) does not seem to detect the presence of this variable, and instead only looks for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, which doesn't work for the purposes of using anything running on the local device instead of in AWS.

Example invocation with environment variables passed:

env | grep -i aws
AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH=/path/to/ipc.socket
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:33925/2016-11-01/credentialprovider/
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1
AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT=/path/to/ipc.socket
AWS_CONTAINER_AUTHORIZATION_TOKEN=REDACTED
...

fluent-bit/bin/fluent-bit -i cpu -o cloudwatch_logs -p region=us-east-1 -p log_group_name=group_name -p log_stream_prefix=stream_prefix -p role_arn=[REDACTED] -vvv

Relevant log output:

[2024/04/24 22:13:28] [debug] [aws_credentials] Not initializing ECS Provider because AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set

Running commands in the same container that use the AWS SDK (like a boto request to S3) do successfully detect and use the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable, and are able to aqcuire the necessary credentials to talk to AWS services.

@PettitWesley
Copy link
Contributor

We're working on EKS Pod identity support, which involves refactoring the HTTP Provider. We're adding support for this env var in the same feature: fluent/fluent-bit#8826

Please take a look.

@PettitWesley
Copy link
Contributor

PettitWesley commented May 17, 2024

AWS Distro PR diff: PettitWesley/fluent-bit#32

@PettitWesley
Copy link
Contributor

These images contain the feature support along with some other upcoming work we are testing:

# Base image
144718711470.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:grace-input-chunk-check
# Image with Fluent Bit ECS Init helper added: 
# https://github.com/aws-samples/amazon-ecs-firelens-examples/tree/mainline?tab=readme-ov-file#aws-for-fluent-bit-init-tag-examples
144718711470.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:init-grace-input-chunk-check

@chanjin-amzn
Copy link

Hi team, is there an update on this? It will be really good so that other AWS IoT Greengrass components can leverage FluentBit

@ohookins
Copy link

I'm also looking for the EKS Pod Identity support in fluent-bit - is there any progress on this?

@wilsonredd
Copy link

Any updates on this? We too are trying to use FluentBit with Greengrass and this is a blocker for us. Is there a way to get access to the ECR images referenced above to validate this feature?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants