[exporter/awscloudwatchlogsexporter] add external id config for role assumption #38062
Conversation
github-actions
bot
added
exporter/awscloudwatchlogs
github-actions
bot
requested review from
Aneurysm9,
boostchicken,
bryan-aguilar,
mxiamxia,
rapphil,
srprash and
wangzlei
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
what is the best way to move forward with this? |
| @@ -31,6 +31,8 @@ The following settings can be optionally configured: | |||
| - `log_retention`: LogRetention is the option to set the log retention policy for only newly created CloudWatch Log Groups. Defaults to Never Expire if not specified or set to 0. Possible values for retention in days are 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, or 3653. | |||
| - `tags`: Tags is the option to set tags for the CloudWatch Log Group. If specified, please add at most 50 tags. Input is a string to string map like so: { 'key': 'value' }. Keys must be between 1-128 characters and follow the regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]+)$`(alphanumerics, whitespace, and _.:/=+-!). Values must be between 1-256 characters and follow the regex pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`(alphanumerics, whitespace, and _.:/=+-!). [Link to tagging restrictions](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateLogGroup.html#:~:text=Required%3A%20Yes-,tags,-The%20key%2Dvalue) | |||
| - `raw_log`: Boolean default false. If set to true, only the log message will be exported to CloudWatch Logs. This needs to be set to true for [EMF logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Embedded_Metric_Format_Specification.html). | |||
| - `role_arn`: IAM role to upload logs to a different account. | |||
| - `external_id`: Shared identitier used when assuming an IAM role in an external AWS account. | |||
There was a problem hiding this comment.
Do you have any useful AWS documentation links to attach for the docs? (add to changelog subtext as well if available).
There was a problem hiding this comment.
There was a problem hiding this comment.
added links to the docs and subtext
binarymatt
force-pushed
the
awscloudwatchexporter_external_id
branch
from
b442aaa to
3ae04dd
Compare
|
|
|
@dehaansa I noticed that the codegen check is failing (btw, thanks for re-running). When I run make generate locally, i see that this readme |
Yep, update it 👍 . I hadn't actually read the error from the workflow because we've had a lot of flakiness in the build_examples CI so I just blindly clicked restart :) |
dehaansa
added
the
ready to merge
Description
When assuming a role in an external AWS account, there are cases where it's desirable to have an external id in the role assumption trust policy. This pull requests adds external id as an optional parameter when role assumption is used to retrieve AWS credentials.
This is reopening this pr
Link to tracking issue
Fixes
Testing
Documentation