aws credentials_process doesn't work on linux about fluent-bit HOT 5 CLOSED

Can you fill out the relevant information in the template - what version of Fluent Bit are you using? It's not clear as well - are you running Linux or Windows?

from fluent-bit.

Can you fill out the relevant information in the template - what version of Fluent Bit are you using? It's not clear as well - are you running Linux or Windows?

Using latest version of Fluentbit & running on Red Hat Linux.

from fluent-bit.

Can you fill out the relevant information in the template - what version of Fluent Bit are you using? It's not clear as well - are you running Linux or Windows?

Using latest version of Fluentbit & running on Red Hat Linux.

Definitely 3.0.7 from the OSS repos, and not something Red Hat are building?
I'm guessing RHEL 8.4 looking at the kernel version?
What config are you using?

Ah you mention you're using the container so how are you running this and is it definitely the OSS version of the container? fluent/fluent-bit:3.0.7? Not something else like the AWS version or a Red Hat version?
Are you using K8S or just running in CRI-O/podman? How are you deploying that with the credential details? It looks like the profile is not mounted so trying to understand how you are supplying the details so config plus deployment info is critical here.

from fluent-bit.

Can you fill out the relevant information in the template - what version of Fluent Bit are you using? It's not clear as well - are you running Linux or Windows?

Using latest version of Fluentbit & running on Red Hat Linux.

Definitely 3.0.7 from the OSS repos, and not something Red Hat are building? I'm guessing RHEL 8.4 looking at the kernel version? What config are you using?

Ah you mention you're using the container so how are you running this and is it definitely the OSS version of the container? fluent/fluent-bit:3.0.7? Not something else like the AWS version or a Red Hat version? Are you using K8S or just running in CRI-O/podman? How are you deploying that with the credential details? It looks like the profile is not mounted so trying to understand how you are supplying the details so config plus deployment info is critical here.

RHEL Version is: (Ran this command cat /etc/redhat-release) "Red Hat Enterprise Linux release 8.4 (Ootpa)"
Here is the docker compose of the container where I am running the fluent-bit:

dev-fluentbit-dr:
container_name: fluentbit-agent
image: fluent/fluent-bit
networks:
proxy: {}
volumes:
- ./fluenbit/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
- ./config/.aws:/root/.aws
ports:
- "24224:24224"
- "24224:24224/udp"
environment:
- AWS_PROFILE=rolesanywhere
- AWS_DEFAULT_REGION=us-east-1
- AWS_SDK_LOAD_CONFIG=1
deploy:
resources:
limits:
memory: 2gb

We are not using K8s. We are just running it onprem. The container is deployed using above docker compose.

We are using 'rolesanywhere' so our profile in the /root/.aws/config & /root/.aws/credentials looks like as below:

[rolesanywhere]
credential_process = /root/.aws/aws_signing_helper credential-process --certificate /root/.aws/certificate.pem --private-key /root/.aws/decrypted_key.pem --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:520493169785:trust-anchor/015c991f-9192-48e3-b807-2bd28fb6ba20 --profile-arn arn:aws:rolesanywhere:us-east-1:520493169785:profile/d9d5v925-965c-4b88-a670-a6a0fb43001e --role-arn arn:aws:iam::520493169785:role/rolesanywhere-dev-role
[rolesanywhere]
credential_process = /root/.aws/aws_signing_helper credential-process --certificate /root/.aws/certificate.pem --private-key /root/.aws/decrypted_key.pem --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:520493169785:trust-anchor/015c991f-9192-48e3-b807-2bd28fb6ba20 --profile-arn arn:aws:rolesanywhere:us-east-1:520493169785:profile/d9d5v925-965c-4b88-a670-a6a0fb43001e --role-arn arn:aws:iam::520493169785:role/rolesanywhere-dev-role
[default]
credential_process = /root/.aws/aws_signing_helper credential-process --certificate /root/.aws/certificate.pem --private-key /root/.aws/decrypted_key.pem --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:520493169785:trust-anchor/015c991f-9192-48e3-b807-2bd28fb6ba20 --profile-arn arn:aws:rolesanywhere:us-east-1:520493169785:profile/d9d5v925-965c-4b88-a670-a6a0fb43001e --role-arn arn:aws:iam::520493169785:role/rolesanywhere-dev-role

The AWS permissions are correct. But for some reason fluentbit is unable to parse the credential_process and get the aws access key & secret key. The error indicates fluentbit is not even executing the credential_process related code.

Please Note: The output of this command: /root/.aws/aws_signing_helper credential-process --certificate /root/.aws/certificate.pem --private-key /root/.aws/decrypted_key.pem --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:520493169785:trust-anchor/015c991f-9192-48e3-b807-2bd28fb6ba20 --profile-arn arn:aws:rolesanywhere:us-east-1:520493169785:profile/d9d5v925-965c-4b88-a670-a6a0fb43001e --role-arn arn:aws:iam::520493169785:role/rolesanywhere-dev-role
O/P (in json format): AccessKey:{value of access key}, SecretKey:{value of secret key} etc.
So nothing wrong with the command as well.

from fluent-bit.

The issue is resolved. The profile defined in config and credentials file was this:
[rolesanywhere]
credential_process = .....

whereas it should have been:
[profile rolesanywhere]
credential_process = ....

The profile keyword was missing..

from fluent-bit.