From 56722bf23360cfd867e51f53d614939b02f0c90e Mon Sep 17 00:00:00 2001 From: Simon Hildrew Date: Wed, 2 Jan 2019 15:30:34 +0000 Subject: [PATCH] Add role session name option and use instead of worker_id --- README.md | 3 +++ lib/logstash/inputs/kinesis.rb | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f93c3d9..491e4da 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,9 @@ account. This role will be assumed after the default credentials or profile cred this is empty and a role will not be assumed. * **required**: false * **default value**: `""` +* `role_session_name`: Session name to use when assuming an IAM role. This is recorded in CloudTrail logs for example. + * **required**: false + * **default value**: `"logstash"` * `initial_position_in_stream`: The value for initialPositionInStream. Accepts "TRIM_HORIZON" or "LATEST". * **required**: false * **default value**: `"TRIM_HORIZON"` diff --git a/lib/logstash/inputs/kinesis.rb b/lib/logstash/inputs/kinesis.rb index 31c5cca..88e0dda 100644 --- a/lib/logstash/inputs/kinesis.rb +++ b/lib/logstash/inputs/kinesis.rb @@ -55,9 +55,14 @@ class LogStash::Inputs::Kinesis < LogStash::Inputs::Base # Select AWS profile for input config :profile, :validate => :string - # Assume a different role using STS, for example if the stream is in a different AWS account + # The AWS IAM Role to assume, if any. + # This is used to generate temporary credentials typically for cross-account access. + # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information. config :role_arn, :validate => :string + # Session name to use when assuming an IAM role + config :role_session_name, :validate => :string, :default => "logstash" + # Select initial_position_in_stream. Accepts TRIM_HORIZON or LATEST config :initial_position_in_stream, :validate => ["TRIM_HORIZON", "LATEST"], :default => "TRIM_HORIZON" @@ -91,8 +96,7 @@ def register # If a role ARN is set then assume the role as a new layer over the credentials already created unless @role_arn.nil? - session_id = "worker" + worker_id - kinesis_creds = com.amazonaws.auth::STSAssumeRoleSessionCredentialsProvider.new(creds, @role_arn, session_id) + kinesis_creds = com.amazonaws.auth::STSAssumeRoleSessionCredentialsProvider.new(creds, @role_arn, @role_session_name) else kinesis_creds = creds end