diff --git a/changelog.d/aws-auth-session-token.enhancement.md b/changelog.d/aws-auth-session-token.enhancement.md new file mode 100644 index 0000000000000..5d49320932445 --- /dev/null +++ b/changelog.d/aws-auth-session-token.enhancement.md @@ -0,0 +1,3 @@ +Adds support for session tokens in AWS authentication options. When using temporary credentials (access key, secret key, and session token), the session token is required. Temporary credentials can be provided by an external system and updated using the `SECRET` backend. + +authors: anil-db diff --git a/src/aws/auth.rs b/src/aws/auth.rs index 1b8aa111eec33..4dd00f5cdbc24 100644 --- a/src/aws/auth.rs +++ b/src/aws/auth.rs @@ -71,6 +71,11 @@ pub enum AwsAuthentication { #[configurable(metadata(docs::examples = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"))] secret_access_key: SensitiveString, + /// The AWS session token. + /// See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + #[configurable(metadata(docs::examples = "AQoDYXdz...AQoDYXdz..."))] + session_token: Option, + /// The ARN of an [IAM role][iam_role] to assume. /// /// [iam_role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html @@ -275,11 +280,12 @@ impl AwsAuthentication { external_id, region, session_name, + session_token, } => { let provider = SharedCredentialsProvider::new(Credentials::from_keys( access_key_id.inner(), secret_access_key.inner(), - None, + session_token.clone().map(|v| v.inner().into()), )); if let Some(assume_role) = assume_role { let auth_region = region.clone().map(Region::new).unwrap_or(service_region); @@ -372,6 +378,7 @@ impl AwsAuthentication { external_id: None, region: None, session_name: None, + session_token: None, } } } diff --git a/website/cue/reference/base/configuration.cue b/website/cue/reference/base/configuration.cue index 4bd38192b11b7..ae4998cc0078b 100644 --- a/website/cue/reference/base/configuration.cue +++ b/website/cue/reference/base/configuration.cue @@ -364,6 +364,14 @@ base: configuration: configuration: { """ required: false } + session_token: { + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + } credentials_file: { type: string: examples: ["/my/aws/credentials"] description: "Path to the credentials file." diff --git a/website/cue/reference/components/sinks/base/aws_cloudwatch_logs.cue b/website/cue/reference/components/sinks/base/aws_cloudwatch_logs.cue index 7b53d05fa3455..4b4bdc8682ebb 100644 --- a/website/cue/reference/components/sinks/base/aws_cloudwatch_logs.cue +++ b/website/cue/reference/components/sinks/base/aws_cloudwatch_logs.cue @@ -139,6 +139,14 @@ base: components: sinks: aws_cloudwatch_logs: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } batch: { diff --git a/website/cue/reference/components/sinks/base/aws_cloudwatch_metrics.cue b/website/cue/reference/components/sinks/base/aws_cloudwatch_metrics.cue index c2ced75b95861..f766635907dd8 100644 --- a/website/cue/reference/components/sinks/base/aws_cloudwatch_metrics.cue +++ b/website/cue/reference/components/sinks/base/aws_cloudwatch_metrics.cue @@ -139,6 +139,14 @@ base: components: sinks: aws_cloudwatch_metrics: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } batch: { diff --git a/website/cue/reference/components/sinks/base/aws_kinesis_firehose.cue b/website/cue/reference/components/sinks/base/aws_kinesis_firehose.cue index b3319428648ba..889738a70b18d 100644 --- a/website/cue/reference/components/sinks/base/aws_kinesis_firehose.cue +++ b/website/cue/reference/components/sinks/base/aws_kinesis_firehose.cue @@ -139,6 +139,14 @@ base: components: sinks: aws_kinesis_firehose: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } batch: { diff --git a/website/cue/reference/components/sinks/base/aws_kinesis_streams.cue b/website/cue/reference/components/sinks/base/aws_kinesis_streams.cue index fb53b59f1b3d1..21fb8838e725e 100644 --- a/website/cue/reference/components/sinks/base/aws_kinesis_streams.cue +++ b/website/cue/reference/components/sinks/base/aws_kinesis_streams.cue @@ -139,6 +139,14 @@ base: components: sinks: aws_kinesis_streams: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } batch: { diff --git a/website/cue/reference/components/sinks/base/aws_s3.cue b/website/cue/reference/components/sinks/base/aws_s3.cue index c7ebd5f2fe1ba..a79cecf594b2d 100644 --- a/website/cue/reference/components/sinks/base/aws_s3.cue +++ b/website/cue/reference/components/sinks/base/aws_s3.cue @@ -214,6 +214,14 @@ base: components: sinks: aws_s3: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } batch: { diff --git a/website/cue/reference/components/sinks/base/aws_sns.cue b/website/cue/reference/components/sinks/base/aws_sns.cue index 8953e1893f24d..8d183c33d9b04 100644 --- a/website/cue/reference/components/sinks/base/aws_sns.cue +++ b/website/cue/reference/components/sinks/base/aws_sns.cue @@ -139,6 +139,14 @@ base: components: sinks: aws_sns: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } encoding: { diff --git a/website/cue/reference/components/sinks/base/aws_sqs.cue b/website/cue/reference/components/sinks/base/aws_sqs.cue index 0fcfe80f4f0b0..0493d2ede171f 100644 --- a/website/cue/reference/components/sinks/base/aws_sqs.cue +++ b/website/cue/reference/components/sinks/base/aws_sqs.cue @@ -139,6 +139,14 @@ base: components: sinks: aws_sqs: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } encoding: { diff --git a/website/cue/reference/components/sinks/base/clickhouse.cue b/website/cue/reference/components/sinks/base/clickhouse.cue index e93b7e417bf07..91a979158b87b 100644 --- a/website/cue/reference/components/sinks/base/clickhouse.cue +++ b/website/cue/reference/components/sinks/base/clickhouse.cue @@ -149,6 +149,14 @@ base: components: sinks: clickhouse: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sinks/base/databend.cue b/website/cue/reference/components/sinks/base/databend.cue index 54033a7968da8..2023fdb8ba7d2 100644 --- a/website/cue/reference/components/sinks/base/databend.cue +++ b/website/cue/reference/components/sinks/base/databend.cue @@ -144,6 +144,14 @@ base: components: sinks: databend: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sinks/base/elasticsearch.cue b/website/cue/reference/components/sinks/base/elasticsearch.cue index c2340f11a1340..03f5e686e0a30 100644 --- a/website/cue/reference/components/sinks/base/elasticsearch.cue +++ b/website/cue/reference/components/sinks/base/elasticsearch.cue @@ -182,6 +182,15 @@ base: components: sinks: elasticsearch: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + relevant_when: "strategy = \"aws\"" + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } strategy: { description: """ The authentication strategy to use. diff --git a/website/cue/reference/components/sinks/base/http.cue b/website/cue/reference/components/sinks/base/http.cue index 402db85cfc8da..006f535cd6cb9 100644 --- a/website/cue/reference/components/sinks/base/http.cue +++ b/website/cue/reference/components/sinks/base/http.cue @@ -149,6 +149,14 @@ base: components: sinks: http: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sinks/base/loki.cue b/website/cue/reference/components/sinks/base/loki.cue index e846d91dfb300..9dfb3e6b51500 100644 --- a/website/cue/reference/components/sinks/base/loki.cue +++ b/website/cue/reference/components/sinks/base/loki.cue @@ -149,6 +149,14 @@ base: components: sinks: loki: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sinks/base/opentelemetry.cue b/website/cue/reference/components/sinks/base/opentelemetry.cue index de87314957157..fcb438b6c835b 100644 --- a/website/cue/reference/components/sinks/base/opentelemetry.cue +++ b/website/cue/reference/components/sinks/base/opentelemetry.cue @@ -152,6 +152,14 @@ base: components: sinks: opentelemetry: configuration: protocol: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sinks/base/prometheus_exporter.cue b/website/cue/reference/components/sinks/base/prometheus_exporter.cue index 23b073699ba7b..50f16c511e1a9 100644 --- a/website/cue/reference/components/sinks/base/prometheus_exporter.cue +++ b/website/cue/reference/components/sinks/base/prometheus_exporter.cue @@ -161,6 +161,14 @@ base: components: sinks: prometheus_exporter: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sinks/base/prometheus_remote_write.cue b/website/cue/reference/components/sinks/base/prometheus_remote_write.cue index 4ca726cbd445b..519e55e0c32d8 100644 --- a/website/cue/reference/components/sinks/base/prometheus_remote_write.cue +++ b/website/cue/reference/components/sinks/base/prometheus_remote_write.cue @@ -155,6 +155,15 @@ base: components: sinks: prometheus_remote_write: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + relevant_when: "strategy = \"aws\"" + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } strategy: { description: "The authentication strategy to use." required: true diff --git a/website/cue/reference/components/sinks/base/websocket.cue b/website/cue/reference/components/sinks/base/websocket.cue index 301315bbf9ea1..d6cadf59f1fbc 100644 --- a/website/cue/reference/components/sinks/base/websocket.cue +++ b/website/cue/reference/components/sinks/base/websocket.cue @@ -149,6 +149,14 @@ base: components: sinks: websocket: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sources/base/aws_s3.cue b/website/cue/reference/components/sources/base/aws_s3.cue index 8b3da586e11e8..e49d52b08c818 100644 --- a/website/cue/reference/components/sources/base/aws_s3.cue +++ b/website/cue/reference/components/sources/base/aws_s3.cue @@ -134,6 +134,14 @@ base: components: sources: aws_s3: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } compression: { diff --git a/website/cue/reference/components/sources/base/aws_sqs.cue b/website/cue/reference/components/sources/base/aws_sqs.cue index 9c713b33b2bd4..bc717121c5f09 100644 --- a/website/cue/reference/components/sources/base/aws_sqs.cue +++ b/website/cue/reference/components/sources/base/aws_sqs.cue @@ -134,6 +134,14 @@ base: components: sources: aws_sqs: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } client_concurrency: { diff --git a/website/cue/reference/components/sources/base/http_client.cue b/website/cue/reference/components/sources/base/http_client.cue index 5718041692c20..290740a94ac1a 100644 --- a/website/cue/reference/components/sources/base/http_client.cue +++ b/website/cue/reference/components/sources/base/http_client.cue @@ -118,6 +118,14 @@ base: components: sources: http_client: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sources/base/nginx_metrics.cue b/website/cue/reference/components/sources/base/nginx_metrics.cue index 57fb2200f7234..12cb35c733faf 100644 --- a/website/cue/reference/components/sources/base/nginx_metrics.cue +++ b/website/cue/reference/components/sources/base/nginx_metrics.cue @@ -123,6 +123,14 @@ base: components: sources: nginx_metrics: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: { diff --git a/website/cue/reference/components/sources/base/prometheus_scrape.cue b/website/cue/reference/components/sources/base/prometheus_scrape.cue index 396aa751a7ee9..ecaff2a727185 100644 --- a/website/cue/reference/components/sources/base/prometheus_scrape.cue +++ b/website/cue/reference/components/sources/base/prometheus_scrape.cue @@ -123,6 +123,14 @@ base: components: sources: prometheus_scrape: configuration: { required: false type: string: examples: ["vector-indexer-role"] } + session_token: { + description: """ + The AWS session token. + See [AWS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + """ + required: false + type: string: examples: ["AQoDYXdz...AQoDYXdz..."] + } } } password: {