-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filebeat Google Cloud Storage Input requires JSON or file credentials for authentication which causes issues when using workload identity #39977
Comments
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
I think the same logic used by the GCP Pub/Sub input could be implemented by the GCS input. If none of the config options are set then it checks if it can load application default credentials before failing. beats/x-pack/filebeat/input/gcppubsub/config.go Lines 45 to 68 in d2c4c2d
Does that sound correct to you @bkaznowski? |
Yes, I believe this sounds right. We use the gcp-pubsub input too and we haven't had any issues with using it alongside workload identity. It would also be a nice solution to bring both of these under the same behaviour |
Hi @efd6 I'm wondering how you are setting up Workload Identity because I'm having the same issue here.
I'm running on GKE. How are you setting up Workload Identity so that now it works??? |
Thanks @alelevinas, it looks like part of the process was omitted. Sending that now. |
Describe the enhancement:
Make
auth.credentials_json.account_key
andauth.credentials_file.path
optional so you can configure filebeat to set up the Google Storage client without either option.Describe a specific use case for the enhancement or feature:
If you are running Filebeat in a Kubernetes cluster and want to use workload identity to authenticate with GCS then the documentation doesn't make it clear how to achieve this and the behaviour would suggest this isn't possible. It would be nice to either specifically call out the workaround in the documentation or to make both config options optional.
This is the guide I was following which says you must provide either a credentials JSON or a credentials file. However, workload identity doesn't require either.
Existing workaround:
There is a workaround that exists for now, which is to set an empty credentials file path. For example,
auth.credentials_file.path: ""
. This makes filebeat think the credentials file path is set and the Google Storage client will set this path. However, the GCS client treats an empty path identically to the scenario where a path isn't provided.The text was updated successfully, but these errors were encountered: