Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to configure lookup credentials for multiple AWS accounts #52

Open
knightsg opened this issue Oct 30, 2017 · 4 comments
Open

Comments

@knightsg
Copy link

knightsg commented Oct 30, 2017

The detail lookups configuration for this plugin only provides the option to enter credentials for a single AWS account. I am currently collecting logs from kinesis streams in multiple accounts but the detail lookup only works for one of the accounts, which means I can only filter/stream on entity types for a single AWS account.

It would be useful to have this feature as maintaining multiple AWS accounts is now a common use case.

@radykal-com
Copy link
Contributor

Hello,

I agree that would be nice to have lookups for multiple AWS accounts.

As far I can see, this plugin should be developed taking into account that it's very common to run Graylog inside AWS infrastructure and also that is very common to have more than one AWS account you would like to collect logs from, without forget that there are multiple ways to implement the authentication process (secret keys, cross accounts, IAM roles...)

Right now, the lookup processor is configured at same level that the generic settings for the plugin.
Maybe, to implement this feature the lookup processor should be refactored to some kind of multi-instance service with it's own configuration page, allowing CRUD operations of processor instances (maybe a new configuration page for the processor, accessible from the plugin configuration page?)

@hybby
Copy link

hybby commented Jan 22, 2018

👍 from me.

It'd be great if this plugin could tell that the running host was an EC2 instance and if so, provide an option to use its IAM Role instead of hardcoded credentials.

Just noticed @radykal-com's comment on #57 which addresses my use-case:

This functionality is already implemented. If you don't specify the keys in the input config, it will try to authenticate using the roles assigned to the instance profile.

@knightsg
Copy link
Author

knightsg commented Jun 4, 2018

We have a single cluster of graylog servers ingesting logs from multiple AWS accounts, so if we leave the key fields blank and it uses an IAM role, I would imagine it's still only going to use the role for the account where the graylog server is and only look up instance details from that account - is that correct? In which case, it doesn't solve the original issue, which is looking up details for logs from other AWS accounts.

@radykal-com
Copy link
Contributor

Exactly, the plugin doesn't support right now to run instances lookup in multiple accounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants