CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Support AWS Web Identity Provider (#9411)

This commit is contained in:
Alexander Krantz 2021-08-03 14:29:26 -07:00 committed by GitHub
parent 4d84142984
commit de01d37a36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 214 additions and 250 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
config/aws/credentials.go
View File

@ -9,14 +9,16 @@ import (
) )
type CredentialConfig struct { type CredentialConfig struct {
Region string Region string `toml:"region"`
AccessKey string AccessKey string `toml:"access_key"`
SecretKey string SecretKey string `toml:"secret_key"`
RoleARN string RoleARN string `toml:"role_arn"`
Profile string Profile string `toml:"profile"`
Filename string Filename string `toml:"shared_credential_file"`
Token string Token string `toml:"token"`
EndpointURL string EndpointURL string `toml:"endpoint_url"`
RoleSessionName string `toml:"role_session_name"`
WebIdentityTokenFile string `toml:"web_identity_token_file"`
} }
func (c *CredentialConfig) Credentials() client.ConfigProvider { func (c *CredentialConfig) Credentials() client.ConfigProvider {
@ -49,6 +51,12 @@ func (c *CredentialConfig) assumeCredentials() client.ConfigProvider {
Region: aws.String(c.Region), Region: aws.String(c.Region),
Endpoint: &c.EndpointURL, Endpoint: &c.EndpointURL,
} }
config.Credentials = stscreds.NewCredentials(rootCredentials, c.RoleARN)
if c.WebIdentityTokenFile != "" {
config.Credentials = stscreds.NewWebIdentityCredentials(rootCredentials, c.RoleARN, c.RoleSessionName, c.WebIdentityTokenFile)
} else {
config.Credentials = stscreds.NewCredentials(rootCredentials, c.RoleARN)
}
return session.New(config) return session.New(config)
} }

27
plugins/inputs/cloudwatch/README.md
View File

@ -23,18 +23,21 @@ API endpoint. In the following order the plugin will attempt to authenticate.
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
# access_key = "" ## 7) EC2 Instance Profile
# secret_key = "" #access_key = ""
# token = "" #secret_key = ""
# role_arn = "" #token = ""
# profile = "" #role_arn = ""
# shared_credential_file = "" #web_identity_token_file = ""
#role_session_name = ""
#profile = ""
#shared_credential_file = ""
## Endpoint to make request against, the correct endpoint is automatically ## Endpoint to make request against, the correct endpoint is automatically
## determined and this option should only be set if you wish to override the ## determined and this option should only be set if you wish to override the

39
plugins/inputs/cloudwatch/cloudwatch.go
View File

@ -25,14 +25,6 @@ import (
// CloudWatch contains the configuration and cache for the cloudwatch plugin. // CloudWatch contains the configuration and cache for the cloudwatch plugin.
type CloudWatch struct { type CloudWatch struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
CredentialPath string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
StatisticExclude []string `toml:"statistic_exclude"` StatisticExclude []string `toml:"statistic_exclude"`
StatisticInclude []string `toml:"statistic_include"` StatisticInclude []string `toml:"statistic_include"`
Timeout config.Duration `toml:"timeout"` Timeout config.Duration `toml:"timeout"`
@ -55,6 +47,8 @@ type CloudWatch struct {
queryDimensions map[string]*map[string]string queryDimensions map[string]*map[string]string
windowStart time.Time windowStart time.Time
windowEnd time.Time windowEnd time.Time
internalaws.CredentialConfig
} }
// Metric defines a simplified Cloudwatch metric. // Metric defines a simplified Cloudwatch metric.
@ -93,16 +87,19 @@ func (c *CloudWatch) SampleConfig() string {
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
# access_key = "" # access_key = ""
# secret_key = "" # secret_key = ""
# token = "" # token = ""
# role_arn = "" # role_arn = ""
# web_identity_token_file = ""
# role_session_name = ""
# profile = "" # profile = ""
# shared_credential_file = "" # shared_credential_file = ""
@ -258,18 +255,6 @@ func (c *CloudWatch) Gather(acc telegraf.Accumulator) error {
} }
func (c *CloudWatch) initializeCloudWatch() error { func (c *CloudWatch) initializeCloudWatch() error {
credentialConfig := &internalaws.CredentialConfig{
Region: c.Region,
AccessKey: c.AccessKey,
SecretKey: c.SecretKey,
RoleARN: c.RoleARN,
Profile: c.Profile,
Filename: c.CredentialPath,
Token: c.Token,
EndpointURL: c.EndpointURL,
}
configProvider := credentialConfig.Credentials()
proxy, err := c.HTTPProxy.Proxy() proxy, err := c.HTTPProxy.Proxy()
if err != nil { if err != nil {
return err return err
@ -295,7 +280,7 @@ func (c *CloudWatch) initializeCloudWatch() error {
} }
loglevel := aws.LogOff loglevel := aws.LogOff
c.client = cwClient.New(configProvider, cfg.WithLogLevel(loglevel)) c.client = cwClient.New(c.CredentialConfig.Credentials(), cfg.WithLogLevel(loglevel))
// Initialize regex matchers for each Dimension value. // Initialize regex matchers for each Dimension value.
for _, m := range c.Metrics { for _, m := range c.Metrics {

9
plugins/inputs/cloudwatch/cloudwatch_test.go
View File

@ -10,6 +10,7 @@ import (
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/influxdata/telegraf/config" "github.com/influxdata/telegraf/config"
internalaws "github.com/influxdata/telegraf/config/aws"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/plugins/common/proxy" "github.com/influxdata/telegraf/plugins/common/proxy"
"github.com/influxdata/telegraf/testutil" "github.com/influxdata/telegraf/testutil"
@ -105,7 +106,9 @@ func TestGather(t *testing.T) {
duration, _ := time.ParseDuration("1m") duration, _ := time.ParseDuration("1m")
internalDuration := config.Duration(duration) internalDuration := config.Duration(duration)
c := &CloudWatch{ c := &CloudWatch{
Region: "us-east-1", CredentialConfig: internalaws.CredentialConfig{
Region: "us-east-1",
},
Namespace: "AWS/ELB", Namespace: "AWS/ELB",
Delay: internalDuration, Delay: internalDuration,
Period: internalDuration, Period: internalDuration,
@ -189,7 +192,9 @@ func TestSelectMetrics(t *testing.T) {
duration, _ := time.ParseDuration("1m") duration, _ := time.ParseDuration("1m")
internalDuration := config.Duration(duration) internalDuration := config.Duration(duration)
c := &CloudWatch{ c := &CloudWatch{
Region: "us-east-1", CredentialConfig: internalaws.CredentialConfig{
Region: "us-east-1",
},
Namespace: "AWS/ELB", Namespace: "AWS/ELB",
Delay: internalDuration, Delay: internalDuration,
Period: internalDuration, Period: internalDuration,

15
plugins/inputs/kinesis_consumer/README.md
View File

@ -13,16 +13,19 @@ and creates metrics using one of the supported [input data formats][].
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
# access_key = "" # access_key = ""
# secret_key = "" # secret_key = ""
# token = "" # token = ""
# role_arn = "" # role_arn = ""
# web_identity_token_file = ""
# role_session_name = ""
# profile = "" # profile = ""
# shared_credential_file = "" # shared_credential_file = ""

38
plugins/inputs/kinesis_consumer/kinesis_consumer.go
View File

@ -30,14 +30,6 @@ type (
} }
KinesisConsumer struct { KinesisConsumer struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
Filename string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
StreamName string `toml:"streamname"` StreamName string `toml:"streamname"`
ShardIteratorType string `toml:"shard_iterator_type"` ShardIteratorType string `toml:"shard_iterator_type"`
DynamoDB *DynamoDB `toml:"checkpoint_dynamodb"` DynamoDB *DynamoDB `toml:"checkpoint_dynamodb"`
@ -62,6 +54,8 @@ type (
processContentEncodingFunc processContent processContentEncodingFunc processContent
lastSeqNum *big.Int lastSeqNum *big.Int
internalaws.CredentialConfig
} }
checkpoint struct { checkpoint struct {
@ -85,16 +79,19 @@ var sampleConfig = `
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
# access_key = "" # access_key = ""
# secret_key = "" # secret_key = ""
# token = "" # token = ""
# role_arn = "" # role_arn = ""
# web_identity_token_file = ""
# role_session_name = ""
# profile = "" # profile = ""
# shared_credential_file = "" # shared_credential_file = ""
@ -156,18 +153,7 @@ func (k *KinesisConsumer) SetParser(parser parsers.Parser) {
} }
func (k *KinesisConsumer) connect(ac telegraf.Accumulator) error { func (k *KinesisConsumer) connect(ac telegraf.Accumulator) error {
credentialConfig := &internalaws.CredentialConfig{ client := kinesis.New(k.CredentialConfig.Credentials())
Region: k.Region,
AccessKey: k.AccessKey,
SecretKey: k.SecretKey,
RoleARN: k.RoleARN,
Profile: k.Profile,
Filename: k.Filename,
Token: k.Token,
EndpointURL: k.EndpointURL,
}
configProvider := credentialConfig.Credentials()
client := kinesis.New(configProvider)
k.checkpoint = &noopCheckpoint{} k.checkpoint = &noopCheckpoint{}
if k.DynamoDB != nil { if k.DynamoDB != nil {

16
plugins/outputs/cloudwatch/README.md
View File

@ -6,12 +6,16 @@ This plugin will send metrics to Amazon CloudWatch.
This plugin uses a credential chain for Authentication with the CloudWatch This plugin uses a credential chain for Authentication with the CloudWatch
API endpoint. In the following order the plugin will attempt to authenticate. API endpoint. In the following order the plugin will attempt to authenticate.
1. Assumed credentials via STS if `role_arn` attribute is specified (source credentials are evaluated from subsequent rules) 1. Web identity provider credentials via STS if `role_arn` and `web_identity_token_file` are specified
2. Explicit credentials from `access_key`, `secret_key`, and `token` attributes 2. Assumed credentials via STS if `role_arn` attribute is specified (source credentials are evaluated from subsequent rules)
3. Shared profile from `profile` attribute 3. Explicit credentials from `access_key`, `secret_key`, and `token` attributes
4. [Environment Variables](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#environment-variables) 4. Shared profile from `profile` attribute
5. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file) 5. [Environment Variables](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#environment-variables)
6. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) 6. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file)
7. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
If you are using credentials from a web identity provider, you can specify the session name using `role_session_name`. If
left empty, the current timestamp will be used.
The IAM user needs only the `cloudwatch:PutMetricData` permission. The IAM user needs only the `cloudwatch:PutMetricData` permission.

39
plugins/outputs/cloudwatch/cloudwatch.go
View File

@ -15,15 +15,6 @@ import (
) )
type CloudWatch struct { type CloudWatch struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
Filename string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
Namespace string `toml:"namespace"` // CloudWatch Metrics Namespace Namespace string `toml:"namespace"` // CloudWatch Metrics Namespace
HighResolutionMetrics bool `toml:"high_resolution_metrics"` HighResolutionMetrics bool `toml:"high_resolution_metrics"`
svc *cloudwatch.CloudWatch svc *cloudwatch.CloudWatch
@ -31,6 +22,8 @@ type CloudWatch struct {
WriteStatistics bool `toml:"write_statistics"` WriteStatistics bool `toml:"write_statistics"`
Log telegraf.Logger `toml:"-"` Log telegraf.Logger `toml:"-"`
internalaws.CredentialConfig
} }
type statisticType int type statisticType int
@ -159,16 +152,19 @@ var sampleConfig = `
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
#access_key = "" #access_key = ""
#secret_key = "" #secret_key = ""
#token = "" #token = ""
#role_arn = "" #role_arn = ""
#web_identity_token_file = ""
#role_session_name = ""
#profile = "" #profile = ""
#shared_credential_file = "" #shared_credential_file = ""
@ -202,18 +198,7 @@ func (c *CloudWatch) Description() string {
} }
func (c *CloudWatch) Connect() error { func (c *CloudWatch) Connect() error {
credentialConfig := &internalaws.CredentialConfig{ c.svc = cloudwatch.New(c.CredentialConfig.Credentials())
Region: c.Region,
AccessKey: c.AccessKey,
SecretKey: c.SecretKey,
RoleARN: c.RoleARN,
Profile: c.Profile,
Filename: c.Filename,
Token: c.Token,
EndpointURL: c.EndpointURL,
}
configProvider := credentialConfig.Credentials()
c.svc = cloudwatch.New(configProvider)
return nil return nil
} }

28
plugins/outputs/cloudwatch_logs/README.md
View File

@ -6,12 +6,13 @@ This plugin will send logs to Amazon CloudWatch.
This plugin uses a credential chain for Authentication with the CloudWatch Logs This plugin uses a credential chain for Authentication with the CloudWatch Logs
API endpoint. In the following order the plugin will attempt to authenticate. API endpoint. In the following order the plugin will attempt to authenticate.
1. Assumed credentials via STS if `role_arn` attribute is specified (source credentials are evaluated from subsequent rules) 1. Web identity provider credentials via STS if `role_arn` and `web_identity_token_file` are specified
2. Explicit credentials from `access_key`, `secret_key`, and `token` attributes 2. Assumed credentials via STS if `role_arn` attribute is specified (source credentials are evaluated from subsequent rules)
3. Shared profile from `profile` attribute 3. Explicit credentials from `access_key`, `secret_key`, and `token` attributes
4. [Environment Variables](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#environment-variables) 4. Shared profile from `profile` attribute
5. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file) 5. [Environment Variables](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#environment-variables)
6. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) 6. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file)
7. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
The IAM user needs the following permissions ( https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html): The IAM user needs the following permissions ( https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html):
- `logs:DescribeLogGroups` - required for check if configured log group exist - `logs:DescribeLogGroups` - required for check if configured log group exist
@ -34,16 +35,19 @@ The IAM user needs the following permissions ( https://docs.aws.amazon.com/Amazo
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
#access_key = "" #access_key = ""
#secret_key = "" #secret_key = ""
#token = "" #token = ""
#role_arn = "" #role_arn = ""
#web_identity_token_file = ""
#role_session_name = ""
#profile = "" #profile = ""
#shared_credential_file = "" #shared_credential_file = ""

40
plugins/outputs/cloudwatch_logs/cloudwatch_logs.go
View File

@ -33,15 +33,6 @@ type cloudWatchLogs interface {
// CloudWatchLogs plugin object definition // CloudWatchLogs plugin object definition
type CloudWatchLogs struct { type CloudWatchLogs struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
Filename string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
LogGroup string `toml:"log_group"` LogGroup string `toml:"log_group"`
lg *cloudwatchlogs.LogGroup //log group data lg *cloudwatchlogs.LogGroup //log group data
@ -59,6 +50,8 @@ type CloudWatchLogs struct {
svc cloudWatchLogs //cloudwatch logs service svc cloudWatchLogs //cloudwatch logs service
Log telegraf.Logger `toml:"-"` Log telegraf.Logger `toml:"-"`
internalaws.CredentialConfig
} }
const ( const (
@ -91,16 +84,19 @@ region = "us-east-1"
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
#access_key = "" #access_key = ""
#secret_key = "" #secret_key = ""
#token = "" #token = ""
#role_arn = "" #role_arn = ""
#web_identity_token_file = ""
#role_session_name = ""
#profile = "" #profile = ""
#shared_credential_file = "" #shared_credential_file = ""
@ -191,19 +187,7 @@ func (c *CloudWatchLogs) Connect() error {
var logGroupsOutput = &cloudwatchlogs.DescribeLogGroupsOutput{NextToken: &dummyToken} var logGroupsOutput = &cloudwatchlogs.DescribeLogGroupsOutput{NextToken: &dummyToken}
var err error var err error
credentialConfig := &internalaws.CredentialConfig{ c.svc = cloudwatchlogs.New(c.CredentialConfig.Credentials())
Region: c.Region,
AccessKey: c.AccessKey,
SecretKey: c.SecretKey,
RoleARN: c.RoleARN,
Profile: c.Profile,
Filename: c.Filename,
Token: c.Token,
EndpointURL: c.EndpointURL,
}
configProvider := credentialConfig.Credentials()
c.svc = cloudwatchlogs.New(configProvider)
if c.svc == nil { if c.svc == nil {
return fmt.Errorf("can't create cloudwatch logs service endpoint") return fmt.Errorf("can't create cloudwatch logs service endpoint")
} }

77
plugins/outputs/cloudwatch_logs/cloudwatch_logs_test.go
View File

@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/service/cloudwatchlogs" "github.com/aws/aws-sdk-go/service/cloudwatchlogs"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
internalaws "github.com/influxdata/telegraf/config/aws"
"github.com/influxdata/telegraf/testutil" "github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
@ -82,9 +83,11 @@ func TestInit(t *testing.T) {
name: "log group is not set", name: "log group is not set",
expectedErrorString: "log group is not set", expectedErrorString: "log group is not set",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "", LogGroup: "",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -98,9 +101,11 @@ func TestInit(t *testing.T) {
name: "log stream is not set", name: "log stream is not set",
expectedErrorString: "log stream is not set", expectedErrorString: "log stream is not set",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "", LogStream: "",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -114,9 +119,11 @@ func TestInit(t *testing.T) {
name: "log data metrics name is not set", name: "log data metrics name is not set",
expectedErrorString: "log data metrics name is not set", expectedErrorString: "log data metrics name is not set",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "", LDMetricName: "",
@ -130,9 +137,11 @@ func TestInit(t *testing.T) {
name: "log data source is not set", name: "log data source is not set",
expectedErrorString: "log data source is not set", expectedErrorString: "log data source is not set",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -147,9 +156,11 @@ func TestInit(t *testing.T) {
expectedErrorString: "log data source is not properly formatted, ':' is missed.\n" + expectedErrorString: "log data source is not properly formatted, ':' is missed.\n" +
"Should be 'tag:<tag_mame>' or 'field:<field_name>'", "Should be 'tag:<tag_mame>' or 'field:<field_name>'",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -164,9 +175,11 @@ func TestInit(t *testing.T) {
expectedErrorString: "log data source is not properly formatted.\n" + expectedErrorString: "log data source is not properly formatted.\n" +
"Should be 'tag:<tag_mame>' or 'field:<field_name>'", "Should be 'tag:<tag_mame>' or 'field:<field_name>'",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -179,9 +192,11 @@ func TestInit(t *testing.T) {
{ {
name: "valid config", name: "valid config",
plugin: &CloudWatchLogs{ plugin: &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
SecretKey: "dummy",
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -225,10 +240,12 @@ func TestConnect(t *testing.T) {
defer ts.Close() defer ts.Close()
plugin := &CloudWatchLogs{ plugin := &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
EndpointURL: ts.URL, SecretKey: "dummy",
EndpointURL: ts.URL,
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",
@ -263,10 +280,12 @@ func TestWrite(t *testing.T) {
defer ts.Close() defer ts.Close()
plugin := &CloudWatchLogs{ plugin := &CloudWatchLogs{
Region: "eu-central-1", CredentialConfig: internalaws.CredentialConfig{
AccessKey: "dummy", Region: "eu-central-1",
SecretKey: "dummy", AccessKey: "dummy",
EndpointURL: ts.URL, SecretKey: "dummy",
EndpointURL: ts.URL,
},
LogGroup: "TestLogGroup", LogGroup: "TestLogGroup",
LogStream: "tag:source", LogStream: "tag:source",
LDMetricName: "docker_log", LDMetricName: "docker_log",

16
plugins/outputs/kinesis/README.md
View File

@ -13,12 +13,16 @@ maybe useful for users to review Amazons official documentation which is availab
This plugin uses a credential chain for Authentication with the Kinesis API endpoint. In the following order the plugin This plugin uses a credential chain for Authentication with the Kinesis API endpoint. In the following order the plugin
will attempt to authenticate. will attempt to authenticate.
1. Assumed credentials via STS if `role_arn` attribute is specified (source credentials are evaluated from subsequent rules) 1. Web identity provider credentials via STS if `role_arn` and `web_identity_token_file` are specified
2. Explicit credentials from `access_key`, `secret_key`, and `token` attributes 2. Assumed credentials via STS if `role_arn` attribute is specified (source credentials are evaluated from subsequent rules)
3. Shared profile from `profile` attribute 3. Explicit credentials from `access_key`, `secret_key`, and `token` attributes
4. [Environment Variables](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#environment-variables) 4. Shared profile from `profile` attribute
5. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file) 5. [Environment Variables](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#environment-variables)
6. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) 6. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file)
7. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
If you are using credentials from a web identity provider, you can specify the session name using `role_session_name`. If
left empty, the current timestamp will be used.
## Config ## Config

39
plugins/outputs/kinesis/kinesis.go
View File

@ -18,15 +18,6 @@ const maxRecordsPerRequest uint32 = 500
type ( type (
KinesisOutput struct { KinesisOutput struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
Filename string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
StreamName string `toml:"streamname"` StreamName string `toml:"streamname"`
PartitionKey string `toml:"partitionkey"` PartitionKey string `toml:"partitionkey"`
RandomPartitionKey bool `toml:"use_random_partitionkey"` RandomPartitionKey bool `toml:"use_random_partitionkey"`
@ -36,6 +27,8 @@ type (
Log telegraf.Logger `toml:"-"` Log telegraf.Logger `toml:"-"`
serializer serializers.Serializer serializer serializers.Serializer
svc kinesisiface.KinesisAPI svc kinesisiface.KinesisAPI
internalaws.CredentialConfig
} }
Partition struct { Partition struct {
@ -51,16 +44,19 @@ var sampleConfig = `
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) environment variables ## 4) shared profile from 'profile'
## 5) shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
#access_key = "" #access_key = ""
#secret_key = "" #secret_key = ""
#token = "" #token = ""
#role_arn = "" #role_arn = ""
#web_identity_token_file = ""
#role_session_name = ""
#profile = "" #profile = ""
#shared_credential_file = "" #shared_credential_file = ""
@ -130,18 +126,7 @@ func (k *KinesisOutput) Connect() error {
k.Log.Infof("Establishing a connection to Kinesis in %s", k.Region) k.Log.Infof("Establishing a connection to Kinesis in %s", k.Region)
} }
credentialConfig := &internalaws.CredentialConfig{ svc := kinesis.New(k.CredentialConfig.Credentials())
Region: k.Region,
AccessKey: k.AccessKey,
SecretKey: k.SecretKey,
RoleARN: k.RoleARN,
Profile: k.Profile,
Filename: k.Filename,
Token: k.Token,
EndpointURL: k.EndpointURL,
}
configProvider := credentialConfig.Credentials()
svc := kinesis.New(configProvider)
_, err := svc.DescribeStreamSummary(&kinesis.DescribeStreamSummaryInput{ _, err := svc.DescribeStreamSummary(&kinesis.DescribeStreamSummaryInput{
StreamName: aws.String(k.StreamName), StreamName: aws.String(k.StreamName),

17
plugins/outputs/timestream/README.md
View File

@ -11,17 +11,20 @@ The Timestream output plugin writes metrics to the [Amazon Timestream] service.
region = "us-east-1" region = "us-east-1"
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order: ## Credentials are loaded in the following order
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) Explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) Shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) Environment variables ## 4) shared profile from 'profile'
## 5) Shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
#access_key = "" #access_key = ""
#secret_key = "" #secret_key = ""
#token = "" #token = ""
#role_arn = "" #role_arn = ""
#web_identity_token_file = ""
#role_session_name = ""
#profile = "" #profile = ""
#shared_credential_file = "" #shared_credential_file = ""

38
plugins/outputs/timestream/timestream.go
View File

@ -19,15 +19,6 @@ import (
type ( type (
Timestream struct { Timestream struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
Filename string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
MappingMode string `toml:"mapping_mode"` MappingMode string `toml:"mapping_mode"`
DescribeDatabaseOnStart bool `toml:"describe_database_on_start"` DescribeDatabaseOnStart bool `toml:"describe_database_on_start"`
DatabaseName string `toml:"database_name"` DatabaseName string `toml:"database_name"`
@ -42,6 +33,8 @@ type (
Log telegraf.Logger Log telegraf.Logger
svc WriteClient svc WriteClient
internalaws.CredentialConfig
} }
WriteClient interface { WriteClient interface {
@ -67,16 +60,19 @@ var sampleConfig = `
## Amazon Credentials ## Amazon Credentials
## Credentials are loaded in the following order: ## Credentials are loaded in the following order:
## 1) Assumed credentials via STS if role_arn is specified ## 1) Web identity provider credentials via STS if role_arn and web_identity_token_file are specified
## 2) Explicit credentials from 'access_key' and 'secret_key' ## 2) Assumed credentials via STS if role_arn is specified
## 3) Shared profile from 'profile' ## 3) explicit credentials from 'access_key' and 'secret_key'
## 4) Environment variables ## 4) shared profile from 'profile'
## 5) Shared credentials file ## 5) environment variables
## 6) EC2 Instance Profile ## 6) shared credentials file
## 7) EC2 Instance Profile
#access_key = "" #access_key = ""
#secret_key = "" #secret_key = ""
#token = "" #token = ""
#role_arn = "" #role_arn = ""
#web_identity_token_file = ""
#role_session_name = ""
#profile = "" #profile = ""
#shared_credential_file = "" #shared_credential_file = ""
@ -225,17 +221,7 @@ func (t *Timestream) Connect() error {
t.Log.Infof("Constructing Timestream client for '%s' mode", t.MappingMode) t.Log.Infof("Constructing Timestream client for '%s' mode", t.MappingMode)
credentialConfig := &internalaws.CredentialConfig{ svc := WriteFactory(&t.CredentialConfig)
Region: t.Region,
AccessKey: t.AccessKey,
SecretKey: t.SecretKey,
RoleARN: t.RoleARN,
Profile: t.Profile,
Filename: t.Filename,
Token: t.Token,
EndpointURL: t.EndpointURL,
}
svc := WriteFactory(credentialConfig)
if t.DescribeDatabaseOnStart { if t.DescribeDatabaseOnStart {
t.Log.Infof("Describing database '%s' in region '%s'", t.DatabaseName, t.Region) t.Log.Infof("Describing database '%s' in region '%s'", t.DatabaseName, t.Region)