Plugins that interact with AWS services fetch credentials from the following providers in order. Only the first provider that provides credentials is used.
- Environment variables
- Shared configuration and credentials files
- EKS Web Identity Token (OIDC)
- ECS HTTP credentials endpoint
- EC2 Instance Profile Credentials (IMDS)
All AWS plugins additionally support a role_arn (or AWS_ROLE_ARN, for
Elasticsearch) configuration parameter. If
specified, the fetched credentials are used to assume the given role.
Plugins use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and optionally
AWS_SESSION_TOKEN) environment variables if set.
Plugins read the shared config file at $AWS_CONFIG_FILE (or $HOME/.aws/config),
and the shared credentials file at $AWS_SHARED_CREDENTIALS_FILE (or
$HOME/.aws/credentials) to fetch the credentials for the profile named
$AWS_PROFILE or $AWS_DEFAULT_PROFILE (or "default"). See
Configuration and credential file settings in the AWS CLI.
The shared settings evaluate in the following order:
| Setting | File | Description |
|---|---|---|
credential_process |
config |
Linux only. See Sourcing credentials with an external process in the AWS CLI. |
aws_access_key_idaws_secret_access_keyaws_session_token |
credentials |
Access key ID and secret key to use to authenticate. The session token must be set for temporary credentials. |
No other settings are supported.
Credentials are fetched using a signed web identity token for a Kubernetes service account. See IAM roles for service accounts.
Credentials are fetched for the ECS task's role. See Amazon ECS task IAM role.
Fetches credentials for the EC2 instance profile's role. See IAM roles for Amazon EC2. As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 might be disabled. Prior versions of Fluent Bit require enabling IMDSv1 on EC2.