-
Task
-
Resolution: Done
-
Normal
-
Logging 5.5.0
-
2
-
False
-
None
-
False
-
NEW
-
OBSDA-59 - CloudWatch log forwarding add-on needs to support STS installations
-
VERIFIED
-
Log Collection - Sprint 221, Log Collection - Sprint 222
Current format accepted, per LOG-1977:
apiVersion: v1 kind: Secret metadata: namespace: openshift-logging name: my-secret-name stringData: role_arn: arn:aws:iam::123456789012:role/my-role_with-permissions
We will update to utilize the secret format from the "using manual mode with STS" docs. https://docs.openshift.com/container-platform/4.7/authentication/managing_cloud_provider_credentials/cco-mode-sts.html
apiVersion: v1
kind: Secret
metadata:
namespace: openshift-logging
name: my-secret-name
stringData:
credentials: |-
[default]
role_name: arn:aws:iam::123456789012:role/my-role_with-permissions
web_identity_token_file: /var/run/secrets/openshift/serviceaccount/token
As an additional note, the current solution will also accept a secret created by `oc create secret --from-literal` command:
oc create secret generic cw-sts-secret -n openshift-logging --from-literal=role_arn=arn:aws:iam::123456789012:role/my-role_with-permissions
Will create a secret in the following accepted format:
kind: Secret apiVersion: v1 metadata: name: cw-sts-secret namespace: openshift-logging data: role_arn: >- YXJuOmF3czppYW06OjI2OTczEXAMPLEjpyb2xlL2NhaGFydG1hLTA2MjfoofNoaWZ0LWxvZ2dpbmctcm9sZS1mb3Itc3Rz
Acceptance Criteria
- "credentials" key must also be a valid secret key, with the arn encoded and correctly formatted within the string. This matches what is created via a Credential Request
- is related to
-
LOG-2742 unrecognized outputs when use the sts role secret
-
- Closed
-
- links to
- mentioned on
