Plugins that interact with AWS services fetch credentials from the following providers in order. Only the first provider that provides credentials is used.
All AWS plugins additionally support a role_arn (or AWS_ROLE_ARN, for Elasticsearch) configuration parameter. If specified, the fetched credentials are used to assume the given role.
Plugins use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and optionally AWS_SESSION_TOKEN) environment variables if set.
Plugins read the shared config file at $AWS_CONFIG_FILE (or $HOME/.aws/config), and the shared credentials file at $AWS_SHARED_CREDENTIALS_FILE (or $HOME/.aws/credentials) to fetch the credentials for the profile named $AWS_PROFILE or $AWS_DEFAULT_PROFILE (or "default"). See Configuration and credential file settings in the AWS CLI.
The shared settings evaluate in the following order:
credential_process
config
aws_access_key_id
aws_secret_access_key
aws_session_token
credentials
Access key ID and secret key to use to authenticate. The session token must be set for temporary credentials.
No other settings are supported.
Credentials are fetched using a signed web identity token for a Kubernetes service account. See IAM roles for service accounts.
Credentials are fetched for the ECS task's role. See Amazon ECS task IAM role.
Fetches credentials for the EC2 instance profile's role. See IAM roles for Amazon EC2. As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 might be disabled. Prior versions of Fluent Bit require enabling IMDSv1 on EC2.
Linux only. See .