Both S3 input/output plugin provide several credential methods for authentication/authorization.
These parameters are required when your agent is not running on EC2 instance with an IAM Role. When using an IAM role, make sure to configure instance_profile_credentials
. Usage can be found below.
AWS access key id.
AWS secret key.
Typically, you use AssumeRole for cross-account access or federation.
<match *>
@type s3
<assume_role_credentials>
role_arn ROLE_ARN
role_session_name ROLE_SESSION_NAME
</assume_role_credentials>
</match>
See also:
The Amazon Resource Name (ARN) of the role to assume.
An identifier for the assumed role session.
An IAM policy in JSON format.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds.
A unique identifier that is used by third parties when assuming roles in their customers' accounts.
Similar to the assume_role_credentials, but for usage in EKS.
<match *>
@type s3
<web_identity_credentials>
role_arn ROLE_ARN
role_session_name ROLE_SESSION_NAME
web_identity_token_file AWS_WEB_IDENTITY_TOKEN_FILE
</web_identity_credentials>
</match>
See also:
- Using IAM Roles - AWS Identity and Access Management
- IAM Roles For Service Accounts
- Aws::STS::Client
- Aws::AssumeRoleWebIdentityCredentials
The Amazon Resource Name (ARN) of the role to assume.
An identifier for the assumed role session.
The absolute path to the file on disk containing the OIDC token
An IAM policy in JSON format.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 43200 seconds (12 hours). By default, the value is set to 3600 seconds.
Retrieve temporary security credentials via HTTP request. This is useful on EC2 instance.
<match *>
@type s3
<instance_profile_credentials>
ip_address IP_ADDRESS
port PORT
</instance_profile_credentials>
</match>
See also:
- Aws::InstanceProfileCredentials
- Temporary Security Credentials - AWS Identity and Access Management
- Instance Metadata and User Data - Amazon Elastic Compute Cloud
Number of times to retry when retrieving credentials. Default is 5.
Default is 169.254.169.254.
Default is 80.
Default is 5.
Default is 5.
This loads AWS access credentials from local ini file. This is useful for local developing.
<match *>
@type s3
<shared_credentials>
path PATH
profile_name PROFILE_NAME
</shared_credentials>
</match>
See also:
Path to the shared file. Defaults to "#{Dir.home}/.aws/credentials".
Defaults to 'default' or [ENV]('AWS_PROFILE')
.