fluent-plugin-s3 1.2.1 → 1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7857c3b94c15cb4823304fee564472f765550dd22e31d45573275c4db78124f1
-  data.tar.gz: 77ebe69806ddc016fb49a01affe134f16c8eb62201b15cce69d20aeaacd17d59
+  metadata.gz: ebfd58f8ceb4878fc504cf04a829a7434b28fb872a58da0335178d37752d9b1e
+  data.tar.gz: d1623ee5f6e82fa2739e2ff5acde34d3e5aa52e38ac870fde997db738f27e508
 SHA512:
-  metadata.gz: a0d66bbd627a801c39fe4da90135dc4c4b457c522de73c9d14e03786a3dd0b5b8cb2c51d2eb11c8fd615897626fdf9c6d689cbae4be2842d75b5b2846426ab4b
-  data.tar.gz: 8500765a686f41f5ed76c9738fd8466dd64cdda9ca840b5fef0b618d7a9bf0da6d8ba8a46fc239893964ddf9bddd7dcfa54cc71587a69fb4b5417f2592d2cc1c
+  metadata.gz: bd8dee9e930f7f70ac130945ce77a1cdaffb5169fb0ca8711cb98eda1ddc6af2ab4bc8b1fb15490cfbec9dbf0e176528b58eb3aec8fc613050d8c135fde299fe
+  data.tar.gz: 499828ad8c8197235e3d8ee426f265e33f69e0cc65ae4a643cc5a01ff0bc9546f56006fbb339d61d06c6f641f43f94a4494c519ad8378fe155edab1f6fd0a083

data/ChangeLog

@@ -1,3 +1,24 @@
+Release 1.3.4 - 2020/07/07
+
+  * Add sts_http_proxy and sts_endpoint_url to assume_role_credentials
+
+Release 1.3.3 - 2020/06/25
+
+  * Allow fips/gov included endpoint
+  * Support sts_region parameter
+
+Release 1.3.2 - 2020/05/18
+
+  * out_s3: Show warning message for object conflict case.
+
+Release 1.3.1 - 2020/04/15
+
+  * out_s3: Support S3 Dual-Stack Endpoints in output plugin via enable_dual_stack parameter
+
+Release 1.3.0 - 2020/02/10
+
+  * in_s3/out_s3: Support AssumeRoleWebIdentityCredentials via `web_identity_credentials` section for EKS.
+
 Release 1.2.1 - 2019/11/10
 
   * in_s3: Support ECSCredentials

data/README.md

@@ -31,8 +31,13 @@ We must setup SQS queue and S3 event notification before use this plugin.
 
 Simply use RubyGems:
 
-    $ gem install fluent-plugin-s3 -v "~> 0.8" --no-document # for fluentd v0.12 or later
-    $ gem install fluent-plugin-s3 -v 1.0.0 --no-document # for fluentd v1.0 or later
+    # install latest version
+    $ gem install fluent-plugin-s3 --no-document # for fluentd v1.0 or later
+    # If you need to install specifiv version, use -v option
+    $ gem install fluent-plugin-s3 -v 1.3.0 --no-document
+    # For v0.12. This is for old v0.12 users. Don't use v0.12 for new deployment
+    $ gem install fluent-plugin-s3 -v "~> 0.8" --no-document # for fluentd v0.12
+
 
 ## Configuration: credentials
 
@@ -93,6 +98,51 @@ is set to 3600 seconds.
 A unique identifier that is used by third parties when assuming roles in
 their customers' accounts.
 
+### web_identity_credentials
+
+Similar to the assume_role_credentials, but for usage in EKS.
+
+    <match *>
+      @type s3
+
+      <web_identity_credentials>
+        role_arn          ROLE_ARN
+        role_session_name ROLE_SESSION_NAME
+        web_identity_token_file AWS_WEB_IDENTITY_TOKEN_FILE
+      </web_identity_credentials>
+    </match>
+
+See also:
+
+*   [Using IAM Roles - AWS Identity and Access
+    Management](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+*   [IAM Roles For Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html)
+*   [Aws::STS::Client](http://docs.aws.amazon.com/sdkforruby/api/Aws/STS/Client.html)
+*   [Aws::AssumeRoleWebIdentityCredentials](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AssumeRoleWebIdentityCredentials.html)
+
+**role_arn (required)**
+
+The Amazon Resource Name (ARN) of the role to assume.
+
+**role_session_name (required)**
+
+An identifier for the assumed role session.
+
+**web_identity_token_file (required)**
+
+The absolute path to the file on disk containing the OIDC token
+
+**policy**
+
+An IAM policy in JSON format.
+
+**duration_seconds**
+
+The duration, in seconds, of the role session. The value can range from
+900 seconds (15 minutes) to 43200 seconds (12 hours). By default, the value
+is set to 3600 seconds.
+
+
 ### instance_profile_credentials
 
 Retrieve temporary security credentials via HTTP request. This is useful on
@@ -165,7 +215,7 @@ Defaults to 'default' or `[ENV]('AWS_PROFILE')`.
 
 ### v1.0 style
 
-With fluentd v1.0 and fluent-plugin-s3 v1.0.0, use new buffer configuration to dynamic parameters.
+With fluentd v1 and fluent-plugin-s3 v1.0.0 or later, use new buffer configuration to dynamic parameters.
 
     <match pattern>
       @type s3
@@ -248,12 +298,18 @@ recommend using `s3_region` instead of `s3_endpoint`.
 **s3_endpoint**
 
 endpoint for S3 compatible services. For example, Riak CS based storage or
-something. This option doesn't work on S3, use `s3_region` instead.
+something. This option is deprecated for AWS S3, use `s3_region` instead.
+
+See also AWS article: [Working with Regions](https://aws.amazon.com/blogs/developer/working-with-regions/).
 
 **enable_transfer_acceleration**
 
 Enable [S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) for uploads. **IMPORTANT**: For this to work, you must first enable this feature on your destination S3 bucket.
 
+**enable_dual_stack**
+
+Enable [Amazon S3 Dual-Stack Endpoints](https://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html) for uploads. Will make it possible to use either IPv4 or IPv6 when connecting to S3.
+
 **use_bundled_cert**
 
 For cases where the default SSL certificate is unavailable (e.g. Windows), you can set this option to true in order to use the AWS SDK bundled certificate. Default is false.
@@ -297,6 +353,13 @@ You can configure the length of string with a
 `hex_random_length` parameter (Default: 4).
 
 The default format is `%{path}%{time_slice}_%{index}.%{file_extension}`.
+In addition, you can use [buffer placeholders](https://docs.fluentd.org/configuration/buffer-section#placeholders) in this parameter,
+so you can embed tag, time and record value like below:
+
+    s3_object_key_format %{path}/events/%Y%m%d/${tag}_%{index}.%{file_extension}
+    <buffer tag,time>
+      # buffer parameters...
+    </buffer>
 
 For instance, using the example configuration above, actual object keys on S3
 will be something like:
@@ -352,7 +415,7 @@ See `Use your compression algorithm` section for adding another format.
 **`<format>` or format**
 
 Change one line format in the S3 object. Supported formats are "out_file",
-"json", "ltsv" and "single_value". See also [official Formatter article](https://docs.fluentd.org/formatter).
+"json", "ltsv", "single_value" and other formatter plugins. See also [official Formatter article](https://docs.fluentd.org/formatter).
 
 * out_file (default).
 
@@ -368,11 +431,18 @@ Change one line format in the S3 object. Supported formats are "out_file",
 
 
 At this format, "time" and "tag" are omitted. But you can set these
-information to the record by setting "include_tag_key" / "tag_key" and
-"include_time_key" / "time_key" option. If you set following configuration in
+information to the record by setting `<inject>` option. If you set following configuration in
 S3 output:
 
-    format json
+    # v1
+    <format>
+      @type json
+    </format>
+    <inject>
+      time_key log_time
+    </inject>
+    # v0.12
+    @format json
     include_time_key true
     time_key log_time # default is time
 
@@ -380,15 +450,14 @@ then the record has log_time field.
 
     {"log_time":"time string",...}
 
+See also [official Inject Section article](https://docs.fluentd.org/configuration/inject-section).
+
 * ltsv
 
         key1:value1\tkey2:value2
         key1:value1\tkey2:value2
         ...
 
-
-"ltsv" format also accepts "include_xxx" related options. See "json" section.
-
 * single_value
 
 
@@ -431,21 +500,34 @@ uri of proxy environment.
 **path**
 
 path prefix of the files on S3. Default is "" (no prefix).
+[buffer placeholder](https://docs.fluentd.org/configuration/buffer-section#placeholders) is supported,
+so you can embed tag, time and record value like below.
+
+    path logs/%Y%m%d/${tag}/
+    <buffer tag,time>
+      # buffer parameters...
+    </buffer>
 
-**buffer_path (required)**
+**buffer_path (for v0.12)**
 
 path prefix of the files to buffer logs.
 
-**time_slice_format**
+This parameter is for v0.12. Use `<buffer>`'s `path` in v1.
+
+**time_slice_format(for v0.12)**
 
 Format of the time used as the file name. Default is '%Y%m%d'. Use
 '%Y%m%d%H' to split files hourly.
 
-**time_slice_wait**
+This parameter is for v0.12. Use buffer placeholder for `path` / `s3_object_key_format` in v1.
+
+**time_slice_wait(for v0.12)**
 
 The time to wait old logs. Default is 10 minutes. Specify larger value if
 old logs may reach.
 
+This parameter is for v0.12. Use `<buffer>`'s `timekey_wait` in v1.
+
 **utc**
 
 Use UTC instead of local time.

data/VERSION

@@ -1 +1 @@
-1.2.1
+1.3.4

data/fluent-plugin-s3.gemspec

@@ -17,8 +17,8 @@ Gem::Specification.new do |gem|
   gem.require_paths = ['lib']
 
   gem.add_dependency "fluentd", [">= 0.14.22", "< 2"]
-  gem.add_dependency "aws-sdk-s3", "~> 1.0"
-  gem.add_dependency "aws-sdk-sqs", "~> 1.0"
+  gem.add_dependency "aws-sdk-s3", "~> 1.60"
+  gem.add_dependency "aws-sdk-sqs", "~> 1.23"
   gem.add_development_dependency "rake", ">= 0.9.2"
   gem.add_development_dependency "test-unit", ">= 3.0.8"
   gem.add_development_dependency "test-unit-rr", ">= 1.0.3"

data/lib/fluent/plugin/in_s3.rb

@@ -42,6 +42,20 @@ module Fluent::Plugin
       desc "A unique identifier that is used by third parties when assuming roles in their customers' accounts."
       config_param :external_id, :string, default: nil
     end
+    # See the following link for additional params that could be added:
+    # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/STS/Client.html#assume_role_with_web_identity-instance_method
+    config_section :web_identity_credentials, multi: false do
+      desc "The Amazon Resource Name (ARN) of the role to assume"
+      config_param :role_arn, :string # required
+      desc "An identifier for the assumed role session"
+      config_param :role_session_name, :string #required
+      desc "The absolute path to the file on disk containing the OIDC token"
+      config_param :web_identity_token_file, :string #required
+      desc "An IAM policy in JSON format"
+      config_param :policy, :string, default: nil
+      desc "The duration, in seconds, of the role session (900-43200)"
+      config_param :duration_seconds, :integer, default: nil
+    end
     config_section :instance_profile_credentials, multi: false do
       desc "Number of times to retry when retrieving credentials"
       config_param :retries, :integer, default: nil
@@ -104,11 +118,11 @@ module Fluent::Plugin
     def configure(conf)
       super
 
-      if @s3_endpoint && @s3_endpoint.end_with?('amazonaws.com')
+      if @s3_endpoint && (@s3_endpoint.end_with?('amazonaws.com') && !['fips', 'gov'].any? { |e| @s3_endpoint.include?(e) })
         raise Fluent::ConfigError, "s3_endpoint parameter is not supported for S3, use s3_region instead. This parameter is for S3 compatible services"
       end
 
-      if @sqs.endpoint && @sqs.endpoint.end_with?('amazonaws.com')
+      if @sqs.endpoint && (@sqs.endpoint.end_with?('amazonaws.com') && !['fips', 'gov'].any? { |e| @sqs.endpoint.include?(e) })
         raise Fluent::ConfigError, "sqs/endpoint parameter is not supported for SQS, use s3_region instead. This parameter is for SQS compatible services"
       end
 
@@ -202,6 +216,17 @@ module Fluent::Plugin
           credentials_options[:client] = Aws::STS::Client.new(:region => @s3_region)
         end
         options[:credentials] = Aws::AssumeRoleCredentials.new(credentials_options)
+      when @web_identity_credentials
+        c = @web_identity_credentials
+        credentials_options[:role_arn] = c.role_arn
+        credentials_options[:role_session_name] = c.role_session_name
+        credentials_options[:web_identity_token_file] = c.web_identity_token_file
+        credentials_options[:policy] = c.policy if c.policy
+        credentials_options[:duration_seconds] = c.duration_seconds if c.duration_seconds
+        if @s3_region
+          credentials_options[:client] = Aws::STS::Client.new(:region => @s3_region)
+        end
+        options[:credentials] = Aws::AssumeRoleWebIdentityCredentials.new(credentials_options)
       when @instance_profile_credentials
         c = @instance_profile_credentials
         credentials_options[:retries] = c.retries if c.retries

data/lib/fluent/plugin/out_s3.rb

@@ -39,6 +39,28 @@ module Fluent::Plugin
       config_param :duration_seconds, :integer, default: nil
       desc "A unique identifier that is used by third parties when assuming roles in their customers' accounts."
       config_param :external_id, :string, default: nil, secret: true
+      desc "The region of the STS endpoint to use."
+      config_param :sts_region, :string, default: nil
+      desc "A http proxy url for requests to aws sts service"
+      config_param :sts_http_proxy, :string, default: nil, secret: true
+      desc "A url for a regional sts api endpoint, the default is global"
+      config_param :sts_endpoint_url, :string, default: nil
+    end
+    # See the following link for additional params that could be added:
+    # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/STS/Client.html#assume_role_with_web_identity-instance_method
+    config_section :web_identity_credentials, multi: false do
+      desc "The Amazon Resource Name (ARN) of the role to assume"
+      config_param :role_arn, :string # required
+      desc "An identifier for the assumed role session"
+      config_param :role_session_name, :string #required
+      desc "The absolute path to the file on disk containing the OIDC token"
+      config_param :web_identity_token_file, :string #required
+      desc "An IAM policy in JSON format"
+      config_param :policy, :string, default: nil
+      desc "The duration, in seconds, of the role session (900-43200)"
+      config_param :duration_seconds, :integer, default: nil
+      desc "The region of the STS endpoint to use."
+      config_param :sts_region, :string, default: nil
     end
     config_section :instance_profile_credentials, multi: false do
       desc "Number of times to retry when retrieving credentials"
@@ -70,6 +92,8 @@ module Fluent::Plugin
     config_param :s3_endpoint, :string, default: nil
     desc "If true, S3 Transfer Acceleration will be enabled for uploads. IMPORTANT: You must first enable this feature on your destination S3 bucket"
     config_param :enable_transfer_acceleration, :bool, default: false
+    desc "If true, use Amazon S3 Dual-Stack Endpoints. Will make it possible to use either IPv4 or IPv6 when connecting to S3."
+    config_param :enable_dual_stack, :bool, default: false
     desc "If false, the certificate of endpoint will not be verified"
     config_param :ssl_verify_peer, :bool, :default => true
     desc "The format of S3 object keys"
@@ -155,7 +179,7 @@ module Fluent::Plugin
 
       Aws.use_bundled_cert! if @use_bundled_cert
 
-      if @s3_endpoint && @s3_endpoint.end_with?('amazonaws.com')
+      if @s3_endpoint && (@s3_endpoint.end_with?('amazonaws.com') && !['fips', 'gov'].any? { |e| @s3_endpoint.include?(e) })
         raise Fluent::ConfigError, "s3_endpoint parameter is not supported for S3, use s3_region instead. This parameter is for S3 compatible services"
       end
 
@@ -175,7 +199,7 @@ module Fluent::Plugin
       end
 
       unless @index_format =~ /^%(0\d*)?[dxX]$/
-        raise Fluent::ConfigError, "index_format parameter should follow `%[flags][width]type`. `0` is the only supported flag, and is mandatory if width is specified. `d`, `x` and `X` are supported types" 
+        raise Fluent::ConfigError, "index_format parameter should follow `%[flags][width]type`. `0` is the only supported flag, and is mandatory if width is specified. `d`, `x` and `X` are supported types"
       end
 
       if @reduced_redundancy
@@ -193,6 +217,8 @@ module Fluent::Plugin
         end
       end
 
+      check_s3_path_safety(conf)
+
       # For backward compatibility
       # TODO: Remove time_slice_format when end of support compat_parameters
       @configured_time_slice_format = conf['time_slice_format']
@@ -209,6 +235,7 @@ module Fluent::Plugin
       options[:region] = @s3_region if @s3_region
       options[:endpoint] = @s3_endpoint if @s3_endpoint
       options[:use_accelerate_endpoint] = @enable_transfer_acceleration
+      options[:use_dualstack_endpoint] = @enable_dual_stack
       options[:http_proxy] = @proxy_uri if @proxy_uri
       options[:force_path_style] = @force_path_style
       options[:compute_checksums] = @compute_checksums unless @compute_checksums.nil?
@@ -434,6 +461,16 @@ module Fluent::Plugin
       }
     end
 
+    def check_s3_path_safety(conf)
+      unless conf.has_key?('s3_object_key_format')
+        log.warn "The default value of s3_object_key_format will use ${chunk_id} instead of %{index} to avoid object conflict in v2"
+      end
+
+      if (@buffer_config.flush_thread_count > 1) && ['${chunk_id}', '%{uuid_flush}'].none? { |key| @s3_object_key_format.include?(key) }
+        log.warn "No ${chunk_id} or %{uuid_flush} in s3_object_key_format with multiple flush threads. Recommend to set ${chunk_id} or %{uuid_flush} to avoid data lost by object conflict"
+      end
+    end
+
     def check_apikeys
       @bucket.objects(prefix: @path, :max_keys => 1).first
     rescue Aws::S3::Errors::NoSuchBucket
@@ -456,10 +493,37 @@ module Fluent::Plugin
         credentials_options[:policy] = c.policy if c.policy
         credentials_options[:duration_seconds] = c.duration_seconds if c.duration_seconds
         credentials_options[:external_id] = c.external_id if c.external_id
-        if @s3_region
+        credentials_options[:sts_endpoint_url] = c.sts_endpoint_url if c.sts_endpoint_url
+        credentials_options[:sts_http_proxy] = c.sts_http_proxy if c.sts_http_proxy
+        if c.sts_http_proxy && c.sts_endpoint_url
+          credentials_options[:client] = Aws::STS::Client.new(http_proxy: c.sts_http_proxy, endpoint: c.sts_endpoint_url)
+        elsif @region && c.sts_http_proxy
+          credentials_options[:client] = Aws::STS::Client.new(region: @region, http_proxy: c.sts_http_proxy)
+        elsif @region && c.sts_endpoint_url
+          credentials_options[:client] = Aws::STS::Client.new(region: @region, endpoint: c.sts_endpoint_url)
+        elsif c.sts_http_proxy
+          credentials_options[:client] = Aws::STS::Client.new(http_proxy: c.sts_http_proxy)
+        elsif c.sts_endpoint_url
+          credentials_options[:client] = Aws::STS::Client.new(endpoint: c.sts_endpoint_url)
+        elsif c.sts_region
+          credentials_options[:client] = Aws::STS::Client.new(region: c.sts_region)
+        elsif @s3_region
           credentials_options[:client] = Aws::STS::Client.new(region: @s3_region)
         end
         options[:credentials] = Aws::AssumeRoleCredentials.new(credentials_options)
+      when @web_identity_credentials
+        c = @web_identity_credentials
+        credentials_options[:role_arn] = c.role_arn
+        credentials_options[:role_session_name] = c.role_session_name
+        credentials_options[:web_identity_token_file] = c.web_identity_token_file
+        credentials_options[:policy] = c.policy if c.policy
+        credentials_options[:duration_seconds] = c.duration_seconds if c.duration_seconds
+        if c.sts_region
+          credentials_options[:client] = Aws::STS::Client.new(:region => c.sts_region)
+        elsif @s3_region
+          credentials_options[:client] = Aws::STS::Client.new(:region => @s3_region)
+        end
+        options[:credentials] = Aws::AssumeRoleWebIdentityCredentials.new(credentials_options)
       when @instance_profile_credentials
         c = @instance_profile_credentials
         credentials_options[:retries] = c.retries if c.retries

data/test/test_in_s3.rb

@@ -11,6 +11,7 @@ require 'fluent/plugin/in_s3'
 require 'test/unit/rr'
 require 'zlib'
 require 'fileutils'
+require 'ostruct'
 
 include Fluent::Test::Helpers
 
@@ -152,6 +153,7 @@ EOS
 
   def setup_mocks
     @s3_client = stub(Aws::S3::Client.new(stub_responses: true))
+    stub(@s3_client).config { OpenStruct.new({region: "us-east-1"}) }
     mock(Aws::S3::Client).new(anything).at_least(0) { @s3_client }
     @s3_resource = mock(Aws::S3::Resource.new(client: @s3_client))
     mock(Aws::S3::Resource).new(client: @s3_client) { @s3_resource }

data/test/test_out_s3.rb

@@ -10,6 +10,7 @@ require 'zlib'
 require 'fileutils'
 require 'timecop'
 require 'uuidtools'
+require 'ostruct'
 
 include Fluent::Test::Helpers
 
@@ -427,6 +428,7 @@ EOC
 
   def setup_mocks(exists_return = false)
     @s3_client = stub(Aws::S3::Client.new(stub_responses: true))
+    stub(@s3_client).config { OpenStruct.new({region: "us-east-1"}) }
     # aws-sdk-s3 calls Client#put_object inside Object#put
     mock(@s3_client).put_object(anything).at_least(0) { MockResponse.new({}) }
     mock(Aws::S3::Client).new(anything).at_least(0) { @s3_client }
@@ -464,6 +466,7 @@ EOC
 
   def setup_mocks_hardened_policy()
     @s3_client = stub(Aws::S3::Client.new(:stub_responses => true))
+    stub(@s3_client).config { OpenStruct.new({region: "us-east-1"}) }
     mock(@s3_client).put_object(anything).at_least(0) { MockResponse.new({}) }
     mock(Aws::S3::Client).new(anything).at_least(0) { @s3_client }
     @s3_resource = mock(Aws::S3::Resource.new(:client => @s3_client))
@@ -564,6 +567,62 @@ EOC
     assert_equal(expected_credentials, credentials)
   end
 
+  def test_web_identity_credentials
+    expected_credentials = Aws::Credentials.new("test_key", "test_secret")
+    mock(Aws::AssumeRoleWebIdentityCredentials).new(
+      role_arn: "test_arn",
+      role_session_name: "test_session",
+      web_identity_token_file: "test_file",
+      client: anything
+    ){
+      expected_credentials
+    }
+
+    config = CONFIG_TIME_SLICE.split("\n").reject{|x| x =~ /.+aws_.+/}.join("\n")
+    config += %[
+      <web_identity_credentials>
+        role_arn test_arn
+        role_session_name test_session
+        web_identity_token_file test_file
+      </web_identity_credentials>
+    ]
+    d = create_time_sliced_driver(config)
+    assert_nothing_raised { d.run {} }
+    client = d.instance.instance_variable_get(:@s3).client
+    credentials = client.config.credentials
+    assert_equal(expected_credentials, credentials)
+  end
+
+  def test_web_identity_credentials_with_sts_region
+    expected_credentials = Aws::Credentials.new("test_key", "test_secret")
+    sts_client = Aws::STS::Client.new(region: 'us-east-1')
+    mock(Aws::STS::Client).new(region: 'us-east-1'){ sts_client }
+    mock(Aws::AssumeRoleWebIdentityCredentials).new(
+      role_arn: "test_arn",
+      role_session_name: "test_session",
+      web_identity_token_file: "test_file",
+      client: sts_client
+    ){
+      expected_credentials
+    }
+
+    config = CONFIG_TIME_SLICE.split("\n").reject{|x| x =~ /.+aws_.+/}.join("\n")
+    config += %[
+      s3_region us-west-2
+      <web_identity_credentials>
+        role_arn test_arn
+        role_session_name test_session
+        web_identity_token_file test_file
+        sts_region us-east-1
+      </web_identity_credentials>
+    ]
+    d = create_time_sliced_driver(config)
+    assert_nothing_raised { d.run {} }
+    client = d.instance.instance_variable_get(:@s3).client
+    credentials = client.config.credentials
+    assert_equal(expected_credentials, credentials)
+  end
+
   def test_instance_profile_credentials
     expected_credentials = Aws::Credentials.new("test_key", "test_secret")
     mock(Aws::InstanceProfileCredentials).new({}).returns(expected_credentials)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-s3
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.4
 platform: ruby
 authors:
 - Sadayuki Furuhashi
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-11 00:00:00.000000000 Z
+date: 2020-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -37,28 +37,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.60'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.60'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-sqs
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.23'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.23'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement