Credential_process support for AWS CloudWatch plugin

Hi all,

I am trying to configure Cloduwatch output plugin credentials via credential Process AWS SDKs and Tools
I have added following to ~/.aws/config file

[default]
credential_process = /root/decrypt.sh /root/key.json.enc

The intention is to use a custom decrypt script to provide the access key/secret key.
For some reason this doesn’t seem to work and report ‘no valid providers in chain’. Is there anything on telegraf code which might be preventing this ?

key is encrypted and following script is used to decrypt it.
$ /root/decrypt.sh /root/key.json.enc
{
“Version”: 1,
“AccessKeyId”: “XXXXX”,
“SecretAccessKey”: “XXXXX”
“SessionToken”: “”
}

PS: adding access key/secret key directly to ‘.awg/config’ seems to work. i.e paths seems to be rightly picked. Looks like the executable pointed by credential_process fails to get executed from the config.

Any input much appreciated.

Advance Thanks
-KP

Looking over the code that processes the AWS credentials, it seems Telegraf doesn’t support credential_process at the moment. The source code in question: https://github.com/influxdata/telegraf/blob/master/config/aws/credentials.go. Can you open up a issue in the Telegraf repository requesting this feature? Thanks! Pull requests are definitely welcome if you would like to add it yourself :slight_smile:

For more info on the current supported credentials configurations are listed in the README: telegraf/plugins/inputs/cloudwatch at master · influxdata/telegraf · GitHub

Thanks for the reply.
I believe an additional support isn’t required. It should work the same way it works when I place the credentials in ~/.aws/credentials or ~/.aws/config. right?

Only difference is when you set credential_process the credentials is made available in STDOUT. Just wondering if telegraf fails to/or prevent it-selves from reading those from STOUT? Just a thought.Can this be the case?