I am trying to configure Cloduwatch output plugin credentials via credential Process AWS SDKs and Tools
I have added following to ~/.aws/config file
credential_process = /root/decrypt.sh /root/key.json.enc
The intention is to use a custom decrypt script to provide the access key/secret key.
For some reason this doesn’t seem to work and report ‘no valid providers in chain’. Is there anything on telegraf code which might be preventing this ?
key is encrypted and following script is used to decrypt it.
$ /root/decrypt.sh /root/key.json.enc
PS: adding access key/secret key directly to ‘.awg/config’ seems to work. i.e paths seems to be rightly picked. Looks like the executable pointed by credential_process fails to get executed from the config.
Any input much appreciated.
Looking over the code that processes the AWS credentials, it seems Telegraf doesn’t support
credential_process at the moment. The source code in question: https://github.com/influxdata/telegraf/blob/master/config/aws/credentials.go. Can you open up a issue in the Telegraf repository requesting this feature? Thanks! Pull requests are definitely welcome if you would like to add it yourself
For more info on the current supported credentials configurations are listed in the README: telegraf/plugins/inputs/cloudwatch at master · influxdata/telegraf · GitHub
Thanks for the reply.
I believe an additional support isn’t required. It should work the same way it works when I place the credentials in ~/.aws/credentials or ~/.aws/config. right?
Only difference is when you set credential_process the credentials is made available in STDOUT. Just wondering if telegraf fails to/or prevent it-selves from reading those from STOUT? Just a thought.Can this be the case?