CODEWITHSUNDEEP
amazon-kinesis-firehosefluent-bitamazon-kinesis
Stefano Lazzaro
Stefano Lazzaro

Reputation: 487

HOWTO Fluent Bit OUTPUT to multiple Kinesis Firehose on multiple AWS accounts

I'm trying to send same logs to multiple Kinesis Firehose Stream on multiple AWS account via Fluent Bit v1.8.12. How can I use the role_arn in kinesis_firehose OUTPUT property correctly? I'm able to send to firehose A but not firehose B. Also, role A on AWS A can assume role B on AWS account B. This is what I'm trying to do

schema

This is fluent bit OUTPUT conf

[OUTPUT]
    Name              kinesis_firehose
    Match             aaa
    region            eu-west-1
    delivery_stream   a
    time_key          time  
    role_arn          arn:aws:iam::11111111111:role/role-a

# THIS ONE DOES NOT WORK
[OUTPUT]
    Name              kinesis_firehose
    Match             bbb
    region            eu-west-1
    delivery_stream   b
    time_key          time  
    role_arn          arn:aws:iam::22222222222:role/role-b

fluent bit pod logs says:

[2022/06/21 15:03:12] [error] [aws_credentials] STS assume role request failed
[2022/06/21 15:03:12] [ warn] [aws_credentials] No cached credentials are available and a credential refresh is already in progress. The currentco-routine will retry.
[2022/06/21 15:03:12] [error] [signv4] Provider returned no credentials, service=firehose
[2022/06/21 15:03:12] [error] [aws_client] could not sign request
[2022/06/21 15:03:12] [error] [output:kinesis_firehose:kinesis_firehose.1] Failed to send log records to b
[2022/06/21 15:03:12] [error] [output:kinesis_firehose:kinesis_firehose.1] Failed to send log records
[2022/06/21 15:03:12] [error] [output:kinesis_firehose:kinesis_firehose.1] Failed to send records

Upvotes: 0

Views: 2243

Answers (1)

Stefano Lazzaro
Stefano Lazzaro

Reputation: 487

The problem was that I didn't know which role the fluent-bit pod was assuming. Enablind fluent-bit debug logs helped me.

It appears that fluent-bit assumes a particular role x that includes many EKS policies. I added to this role a policy that let this role x assume both roles role a (can write to Kinesis in account AWS A) and role b (can write to Kinesis in account AWS B). No changes were made to fluent bit configuration.

The solution is painted below: enter image description here

Upvotes: 1

Related Questions