winston-cloudwatch icon indicating copy to clipboard operation
winston-cloudwatch copied to clipboard

Published 20 hours ago verified publisher icon lazywithclass

Support for access key sessionTokens

Open lstatro opened this issue 5 years ago • 7 comments

Hi'ya,

I don't see a means to manually supply a sessionToken. Obviously that's not an issue when running on a server logging out to the server's host account, as aws will supply the default creds. However it seems to be an issue should one want to push the logs to another account using creds from a sts assumeRole request.

I welcome feedback anyone may have (admittedly, I may have missed something).

Thanks!

    if (awsAccessKeyId && awsSecretKey && awsRegion) {
      config = { accessKeyId: awsAccessKeyId, secretAccessKey: awsSecretKey, region: awsRegion };
    } else if (awsRegion && !awsAccessKeyId && !awsSecretKey) {
      // Amazon SDK will automatically pull access credentials
      // from IAM Role when running on EC2 but region still
      // needs to be configured
      config = { region: awsRegion };
    }

https://github.com/lazywithclass/winston-cloudwatch/blob/master/index.js#L47

lstatro avatar Dec 31 '19 18:12 lstatro

Hi, I'm not aware of what a sessionToken is. It was ages since I used this module and now I am only maintaining it, could you please provide a code example of how you would use this feature?

Also if you could link from the AWS about sessionToken it would be great! Thanks.

lazywithclass avatar Jan 03 '20 10:01 lazywithclass

Hi,

Sorry for the delay, here are a few links and an example:

When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials.

  const sts = new AWS.STS();
  /* 
    this role would be in another account that 
    has a trust relationship setup with the account hosting 
    this logger specific logger
  */
  let assumedRole = await sts.assumeRole({
    RoleArn: 'myRoleArn',
    RoleSessionName: 'mySessionName'
  }).promise();

  winston.add(new WinstonCloudWatch({
    awsRegion: 'us-east-1',
    awsAccessKeyId: assumedRole.Credentials.AccessKeyId,
    awsSecretKey: assumedRole.Credentials.SecretAccessKey,
    /* 
      awsSessionToken is not a valid option for winston-cloudwatch, 
      but is necessary for api calls that use AssumeRole based creds 
    */
    awsSessionToken: assumedRole.Credentials.SessionToken,
    awsOptions: {
      logStreamName: 'us-east-1'
    },
    logGroupName: 'testing',
    logStreamName: 'first'
  }))

  winston.error('1');

lstatro avatar Jan 16 '20 12:01 lstatro

As you might imagine I've been quite busy lately, sorry for the absurd delay in dealing with this. Is this still an issue?

If so, am I right that I would just have to provide an awsSessionToken and use that info to authenticate the calls?

lazywithclass avatar Apr 05 '20 23:04 lazywithclass

I'm facing the same issue, and yes you are right, it's just needed to add a awsSessionToken in the request. Check this for reference: Using temporary credentials with AWS resources

emanueleragni-nova avatar Feb 16 '21 16:02 emanueleragni-nova

Ok I will have a look in the following weeks, I might have some free time.

lazywithclass avatar Feb 18 '21 17:02 lazywithclass

+1

Snapu avatar May 06 '22 11:05 Snapu

if you use awsOptions?: CloudWatchLogsClientConfig; to provide the credentials object. i guess it should be passed down to aws sdk. That's what i'm using and no issue with sts assumeRole.

dsoyez avatar Mar 08 '24 12:03 dsoyez