CODEWITHSUNDEEP
amazon-dynamodblogstashamazon-kinesislogstash-configuration
luckybird
luckybird

Reputation: 249

Kinesis input stream into Logstash dynamodb creds

I m looking to get logstash input from kinesis but getting dynamodb errors https://github.com/logstash-plugins/logstash-input-kinesis#authentication auth is defined in ~/.aws/credentials and user has full dynamodb access

logstash version 7.16.2 running inside docker container

logstash | at java.lang.Thread.run(Thread.java:829) [?:?] logstash | Caused by: com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: User: arn:aws:sts::xxx:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-01xxxxxxx is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-west-1:xxxxxxxxxx:table/logstash-kinesis because no identity-based policy allows the dynamodb:DescribeTable action (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: A814QENJD5FKI67BFCMQN9J7B7VV4KQNSO5AEMVJF66Q9ASUAAJG; Proxy: null) logstash | at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819) ~[aws-java-sdk-core-1.11.1034.jar:?]

===================================================

input {
kinesis {
  kinesis_stream_name => "logstash-kinesis"
  application_name => "logstash-kinesis"
  region => "us-west-2"
  codec => cloudwatch_logs

} }

Upvotes: 1

Views: 207

Answers (1)

luckybird
luckybird

Reputation: 249

I was able to resolve after adding role_arn input section as it was using iam AmazonSSMRoleForInstancesQuickSetup attached to instance

role_arn => "arn:aws:iam::xxx"

also update this role trust relationship
"Principal": { "Service": "kinesis.amazonaws.com", "AWS": "arn:aws:iam::xxxx:role/AmazonSSMRoleForInstancesQuickSetup" }

Upvotes: 1

Related Questions