AWS credentials

Plugins that interact with AWS services fetch credentials from the following providers in order. Only the first provider that provides credentials is used.

All AWS plugins additionally support a role_arn (or AWS_ROLE_ARN, for Elasticsearch) configuration parameter. If specified, the fetched credentials are used to assume the given role.

Environment variables

Plugins use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and optionally AWS_SESSION_TOKEN) environment variables if set.

Shared configuration and credentials files

Plugins read the shared config file at $AWS_CONFIG_FILE (or $HOME/.aws/config), and the shared credentials file at $AWS_SHARED_CREDENTIALS_FILE (or $HOME/.aws/credentials) to fetch the credentials for the profile named $AWS_PROFILE or $AWS_DEFAULT_PROFILE (or "default"). See Configuration and credential file settings in the AWS CLI.

The shared settings evaluate in the following order:

Setting

File

Description

credential_process

config

Linux only. See Sourcing credentials with an external process in the AWS CLI.

aws_access_key_id aws_secret_access_key aws_session_token

credentials

Access key ID and secret key to use to authenticate. The session token must be set for temporary credentials.

No other settings are supported.

EKS Web Identity Token (OIDC)

Credentials are fetched using a signed web identity token for a Kubernetes service account. See IAM roles for service accounts.

ECS HTTP credentials endpoint

Credentials are fetched for the ECS task's role. See Amazon ECS task IAM role.

EC2 instance profile credentials (IMDS)

Fetches credentials for the EC2 instance profile's role. See IAM roles for Amazon EC2. As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 might be disabled. Prior versions of Fluent Bit require enabling IMDSv1 on EC2.

Last updated 5 hours ago