Plugins that interact with AWS services fetch credentials from the following providers in order. Only the first provider that provides credentials is used.
- Environment variables
- Shared configuration and credentials files
- EKS Web Identity Token (OIDC)
- ECS HTTP credentials endpoint
- EC2 Instance Profile Credentials (IMDS)
AWS Greengrasscredentials
All AWS plugins additionally support a role_arn (or AWS_ROLE_ARN, for Elasticsearch) configuration parameter. If specified, the fetched credentials are used to assume the given role.
Plugins use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and optionally AWS_SESSION_TOKEN) environment variables if set.
Plugins read the shared config file at $AWS_CONFIG_FILE (or $HOME/.aws/config), and the shared credentials file at $AWS_SHARED_CREDENTIALS_FILE (or $HOME/.aws/credentials) to fetch the credentials for the profile named $AWS_PROFILE or $AWS_DEFAULT_PROFILE (or "default"). See Configuration and credential file settings in the AWS CLI.
The shared settings evaluate in the following order:
| Setting | File | Description |
|---|---|---|
credential_process |
config |
Linux only. See Sourcing credentials with an external process in the AWS CLI. |
aws_access_key_id, aws_secret_access_key, aws_session_token |
credentials |
Access key ID and secret key to use to authenticate. The session token must be set for temporary credentials. |
No other settings are supported.
Credentials are fetched using a signed web identity token for a Kubernetes service account. See IAM roles for service accounts.
Credentials are fetched for the ECS task's role. See Amazon ECS task IAM role.
Credentials are fetched using a pod identity endpoint. See Learn how EKS Pod Identity grants pods access to AWS services.
Fetches credentials for the EC2 instance profile's role. See IAM roles for Amazon EC2. As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 might be disabled. Prior versions of Fluent Bit require enabling IMDSv1 on EC2.
Fluent Bit fetches credentials from a localhost endpoint provided by the AWS IoT Greengrass token exchange service. The token exchange service runs as a local server on Greengrass core devices and provides AWS credentials through the AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN environment variables. For more information, see the AWS documentation about Token exchange service.