Comments (8)
@jtblin Thanks for your comment. Let me think about this.
from aws-fluent-plugin-kinesis.
@jtblin Thank you for waiting.
I have thought about the idea you suggested. Even if we use kms_aws_sec_key
, we have to decrypt it with properly delegated IAM user/role, and stored the decrypted plain secret key in the process. It means secret key can be leaked if we put some debug method into the code.
Another idea is to use AssumeRole. This is a clean solution, however we need to run token vending machine in the account of Kinesis Stream holder. ( and of course we need some tweak to this plugin ).
Thus, how about create a dedicated IAM user for Kinesis data ingestion which can only do data ingestion to Kinesis, then distribute the AK/SK to producers? It might be what you are doing currently though, it looks reasonable solution to me.
from aws-fluent-plugin-kinesis.
@imaifactory yes you need to decrypt the keys but that can be done using an IAM role as it can be encrypted in the same account as the client. The secret key could still be leaked if someone modify the code to display it so it is not entirely bullet proof but it's OK in my opinion. Our use case is that these keys are deployed on hundreds of instances for internal services and I'm not looking for a perfect solution but protect against basic leakage of the credentials which is the case as of now.
AssumeRole seems like a great option, but it only returns credentials valid for one hour. I guess you could make it so that it gets new credentials before they expire?
Re: dedicated users, as mentioned above we have hundreds of services so creating one user per service is not a valid option in our case, and rotating the credentials would be hard to manage.
Note that this issue is mostly due to kinesis not supporting passing the full ARN instead of the stream name, so if this is fixed soon then the issue would disappear for us, but at the moment it is a serious problem for us.
Happy to look into the AssumeRole more, or is it something that you'd be likely to do? If not do you have any particular design guideline in mind?
from aws-fluent-plugin-kinesis.
AssumeRole seems like a great option, but it only returns credentials valid for one hour. I guess you could make it so that it gets new credentials before they expire?
Yes. AssumeRole support to provide credential valid for 1 hour at maximum. So we need to refresh credentials continuously in the plugin. But I think this is reasonable and right way.
In this case, the configuration would be like this
<match test.source>
type kinesis
stream_name STREAM
region us-east-1
flush_interval 1
random_partition_key
role_arn YOUR_ROLE_TO_BE_ASSUMED
</match>
I have a question for you.
http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-walkthrough-crossacct.html
We can find the steps in the web page above, you need to configure trust policy
from kinesis stream holder account to each client accounts. Is this reasonable for you?
from aws-fluent-plugin-kinesis.
Yes that would be totally reasonable. And it looks like the ruby aws-sdk already handles auto refreshing the token so should be fairly simple: aws/aws-sdk-ruby#520.
from aws-fluent-plugin-kinesis.
I will leave this open until RubyGems will be released.
from aws-fluent-plugin-kinesis.
Thank you for waiting. We have released.
https://rubygems.org/gems/fluent-plugin-kinesis/versions/0.3.6
from aws-fluent-plugin-kinesis.
Thanks @imaifactory 👍
from aws-fluent-plugin-kinesis.
Related Issues (20)
- Record size limit exceeded in 1883 KB HOT 3
- Gem dependency issue latest aws kinesis/core gems. HOT 3
- Add placeholder support for the stream name with kinesis_firehose (too)
- Can't use process_credentials without supplying aws_key_id and aws_sec_key HOT 1
- Ruby 2.7 incompatibility HOT 10
- "divided by 0" location="/opt/td-agent/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb HOT 2
- Handle IRSA credentials on kinesis plugins HOT 1
- Record size limit exceeded in 1586 KB HOT 9
- Plan to support AWS Glue Schema Registry integration
- Windows support HOT 1
- 3.4.1 tag missing? HOT 1
- When using shared_credentials, plugin does not seem to honor session token expiry HOT 7
- Encryption in transit HOT 1
- cannot load such file -- aws-sdk-core path="aws-sdk-core" error_class=LoadError error="cannot load such file -- aws-sdk-core HOT 2
- always 1 log are lost when using this plugin HOT 1
- Send events to different Kinesis Data Firehose delivery streams based on custom field HOT 2
- Logs periodically not sending to kinesis using kinesis_streams plugin HOT 1
- Ruby version compatibility issues with aws-sdk-ruby HOT 3
- Variable in delivery_stream_name HOT 4
- Support for FIPS endpoint kinesis-fips.us-east-1.amazonaws.com HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-fluent-plugin-kinesis.