Merge pull request #1562 from fluent/lynettemiles/sc-116058/what-s-up-with-administration-aws-credentials

esmerel · web-flow · commit 96f4c2a8142a · 2025-01-17T13:50:45.000-08:00
Cleanup AWS credentials for style and consistency
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -79,6 +79,7 @@
 * [Hot Reload](administration/hot-reload.md)
 * [Troubleshooting](administration/troubleshooting.md)
 * [Performance Tips](administration/performance.md)
+* [AWS credentials](administration/aws-credentials.md)
 
 ## Local Testing
 
diff --git a/administration/aws-credentials.md b/administration/aws-credentials.md
@@ -1,39 +1,53 @@
 # AWS Credentials
 
-Plugins that interact with AWS services will fetch credentials from various providers in the following order.
-Only the first provider that is able to provide credentials will be used.
+Plugins that interact with AWS services fetch credentials from the following providers
+in order. Only the first provider that provides credentials is used.
 
-All AWS plugins additionally support a `role_arn` (or `AWS_ROLE_ARN`, for [Elasticsearch](../pipeline/outputs/elasticsearch.md)) configuration parameter. If specified, the fetched credentials will then be used to assume the given role.
+- [Environment variables](#environment-variables)
+- [Shared configuration and credentials files](#shared-configuration-and-credentials-files)
+- [EKS Web Identity Token (OIDC)](#eks-web-identity-token-oidc)
+- [ECS HTTP credentials endpoint](#ecs-http-credentials-endpoint)
+- [EC2 Instance Profile Credentials (IMDS)](#ec2-instance-profile-credentials-imds)
 
-## 1. Environment Variables
+All AWS plugins additionally support a `role_arn` (or `AWS_ROLE_ARN`, for
+[Elasticsearch](../pipeline/outputs/elasticsearch.md)) configuration parameter. If
+specified, the fetched credentials are used to assume the given role.
 
-Uses the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` (and optionally `AWS_SESSION_TOKEN`) environment variables if set.
+## Environment variables
 
-## 2. Shared Configuration and Credentials Files
+Plugins use the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` (and optionally
+`AWS_SESSION_TOKEN`) environment variables if set.
 
-Reads the shared config file at `$AWS_CONFIG_FILE` (or `$HOME/.aws/config`) and the shared credentials file at `$AWS_SHARED_CREDENTIALS_FILE` (or `$HOME/.aws/credentials`) to fetch the credentials for the profile named `$AWS_PROFILE` or `$AWS_DEFAULT_PROFILE` (or "default"). See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html.
+## Shared configuration and credentials files
 
-The shared settings will be evaluated in the following order.
+Plugins read the shared `config` file at `$AWS_CONFIG_FILE` (or `$HOME/.aws/config`),
+and the shared credentials file at `$AWS_SHARED_CREDENTIALS_FILE` (or
+`$HOME/.aws/credentials`)  to fetch the credentials for the profile named
+`$AWS_PROFILE` or `$AWS_DEFAULT_PROFILE` (or "default"). See
+[Configuration and credential file settings in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
 
-Setting|File|Description
----|---|---
-`credential_process`|config| See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html.<br/>Supported on Linux only.
-`aws_access_key_id`<br/>`aws_secret_access_key`<br/>*`aws_session_token`*|credentials|Access key ID and secret key to use to authenticate.<br/>The session token must be set for temporary credentials.
+The shared settings evaluate in the following order:
 
-At this time, no other settings are supported.
+| Setting | File | Description |
+|---|---|---|
+| `credential_process` | `config` | Linux only. See [Sourcing credentials with an external process in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html). |
+| `aws_access_key_id`<br />`aws_secret_access_key`<br />`aws_session_token` | `credentials` | Access key ID and secret key to use to authenticate. The session token must be set for temporary credentials. |
 
-## 3. EKS Web Identity Token (OIDC)
+No other settings are supported.
 
-Fetches credentials via a signed web identity token for a Kubernetes service account.
-See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html.
+## EKS Web Identity Token (OIDC)
 
-## 4. ECS HTTP Credentials Endpoint
+Credentials are fetched using a signed web identity token for a Kubernetes service account.
+See [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
 
-Fetches credentials for the ECS task's role.
-See https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html.
+## ECS HTTP credentials endpoint
 
-## 5. EC2 Instance Profile Credentials (IMDS)
+Credentials are fetched for the ECS task's role. See
+[Amazon ECS task IAM role](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html).
 
-Fetches credentials for the EC2 instance profile's role.
-See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.
-As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 may be disabled. Prior versions of Fluent Bit require enabling IMDSv1 on EC2.
+## EC2 instance profile credentials (IMDS)
+
+Fetches credentials for the EC2 instance profile's role. See
+[IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).
+As of Fluent Bit version 1.8.8, IMDSv2 is used by default and IMDSv1 might be disabled.
+Prior versions of Fluent Bit require enabling IMDSv1 on EC2.
