AWS credentials
Last updated
Was this helpful?
Last updated
Was this helpful?
Plugins that interact with AWS services fetch credentials from the following providers in order. Only the first provider that provides credentials is used.
All AWS plugins additionally support a role_arn (or AWS_ROLE_ARN, for ) configuration parameter. If specified, the fetched credentials are used to assume the given role.
Plugins use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and optionally AWS_SESSION_TOKEN) environment variables if set.
Plugins read the shared config file at $AWS_CONFIG_FILE (or $HOME/.aws/config), and the shared credentials file at $AWS_SHARED_CREDENTIALS_FILE (or $HOME/.aws/credentials) to fetch the credentials for the profile named $AWS_PROFILE or $AWS_DEFAULT_PROFILE (or "default"). See .
The shared settings evaluate in the following order:
credential_process
config
aws_access_key_id
aws_secret_access_key
aws_session_token
credentials
Access key ID and secret key to use to authenticate. The session token must be set for temporary credentials.
No other settings are supported.
Linux only. See .
Credentials are fetched using a signed web identity token for a Kubernetes service account. See .
Credentials are fetched for the ECS task's role. See .
Fetches credentials for the EC2 instance profile's role. See . As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 might be disabled. Prior versions of Fluent Bit require enabling IMDSv1 on EC2.