logstash-mixin-aws 4.2.2 → 4.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2a75d44617a1da7a815e753511644df5cb10725f
-  data.tar.gz: 6052a122e83b6389c0f0e976718583431d4732dc
+SHA256:
+  metadata.gz: '01656229a43f5ede21677884c8ea991f17916c1788f3d649f53522ea54e3f750'
+  data.tar.gz: d13097ef493258bd57bd748d81ac6d060b4a1400264fc6b29948be2a31b5e9bc
 SHA512:
-  metadata.gz: 94bfbdd3454bbf35192fdd27282a12c8d24f673e13f05cc28dec21dd30b9ccba67c0860c6eaa31c058462948465ac09e40e0661922c5b6b4208c59869e129439
-  data.tar.gz: 5e96d2601e7879237c0f839f1e283cd9c92cb1131625bc70ae4ef53284375cfcc21450a899cc63dd7ff0354dcc46dac86cf98e7a7da4bf38a36222b86067474e
+  metadata.gz: 55c0c1592cf6f02bfe3318b8b201232057d67a0070a8963d1bd233d045e5dd7846658665a6e7c2be3fb6e136f378fce19c6e1c836ca308506ed5bb6bd28889d7
+  data.tar.gz: 916511950a77a3cccb5c168bc1faa040f8e5aca31c62aa0f2c5806f38556f1492eafc48230ba6798ded1d7a3871639adcfe6d3c2eba573809f8b3bc605f4879b

data/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 4.4.1
+  -  Fix: proxy with assumed role (properly) [#50](https://github.com/logstash-plugins/logstash-mixin-aws/pull/50).
+
+## 4.4.0
+  -  Fix: credentials/proxy with assumed role [#48](https://github.com/logstash-plugins/logstash-mixin-aws/pull/48).
+     Plugin no longer assumes `access_key_id`/`secret_access_key` credentials not to be set when `role_arn` specified.
+
+## 4.3.0
+  - Drop strict value validation for region option #36
+  - Add endpoint option to customize the endpoint uri #32
+  - Allow user to provide a role to assume #27
+  - Update aws-sdk dependency to '~> 2'
+
+## 4.2.4
+  - Minor config validation fixes
+
+## 4.2.3
+  - Fix some documentation issues
+
 ## 4.2.1
   - Add eu-west-2, us-east-2 and ca-central-1 regions
 

data/Gemfile

@@ -1,3 +1,11 @@
 source 'https://rubygems.org'
 
 gemspec
+
+logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
+use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
+
+if Dir.exist?(logstash_path) && use_logstash_source
+  gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
+  gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
+end

data/LICENSE

@@ -1,13 +1,202 @@
-Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-    http://www.apache.org/licenses/LICENSE-2.0
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2020 Elastic and contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/lib/logstash/plugin_mixins/aws_config.rb

@@ -9,11 +9,6 @@ module LogStash::PluginMixins::AwsConfig
   require "logstash/plugin_mixins/aws_config/v2"
 
   US_EAST_1 = "us-east-1"
-  REGIONS_ENDPOINT = [US_EAST_1, "us-east-2", "us-west-1", "us-west-2",
-                      "eu-central-1", "eu-west-1", "eu-west-2",
-                      "ap-southeast-1", "ap-southeast-2", "ap-northeast-1",
-                      "ap-northeast-2", "sa-east-1", "us-gov-west-1",
-                      "cn-north-1", "ap-south-1", "ca-central-1"]
 
   def self.included(base)
     # Add these methods to the 'base' given.

data/lib/logstash/plugin_mixins/aws_config/generic.rb

@@ -6,11 +6,11 @@ module LogStash::PluginMixins::AwsConfig::Generic
 
   def generic_aws_config
     # The AWS Region
-    config :region, :validate => LogStash::PluginMixins::AwsConfig::REGIONS_ENDPOINT, :default => LogStash::PluginMixins::AwsConfig::US_EAST_1 
+    config :region, :validate => :string, :default => LogStash::PluginMixins::AwsConfig::US_EAST_1
 
     # This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:
     #
-    # 1. Static configuration, using `access_key_id` and `secret_access_key` params in logstash plugin config
+    # 1. Static configuration, using `access_key_id` and `secret_access_key` params in the logstash plugin config
     # 2. External credentials file specified by `aws_credentials_file`
     # 3. Environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
     # 4. Environment variables `AMAZON_ACCESS_KEY_ID` and `AMAZON_SECRET_ACCESS_KEY`
@@ -18,14 +18,26 @@ module LogStash::PluginMixins::AwsConfig::Generic
     config :access_key_id, :validate => :string
 
     # The AWS Secret Access Key
-    config :secret_access_key, :validate => :string
+    config :secret_access_key, :validate => :password
 
     # The AWS Session token for temporary credential
-    config :session_token, :validate => :string
+    config :session_token, :validate => :password
 
     # URI to proxy server if required
     config :proxy_uri, :validate => :string
 
+    # Custom endpoint to connect to s3
+    config :endpoint, :validate => :string
+
+    # The AWS IAM Role to assume, if any.
+    # This is used to generate temporary credentials typically for cross-account access.
+    # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information.
+    # When `role_arn` is set, AWS (`access_key_id`/`secret_access_key`) credentials still get used if they're configured.
+    config :role_arn, :validate => :string
+
+    # Session name to use when assuming an IAM role
+    config :role_session_name, :validate => :string, :default => "logstash"
+
     # Path to YAML file containing a hash of AWS credentials.
     # This file will only be loaded if `access_key_id` and
     # `secret_access_key` aren't set. The contents of the

data/lib/logstash/plugin_mixins/aws_config/v1.rb

@@ -22,6 +22,10 @@ module LogStash::PluginMixins::AwsConfig::V1
   def aws_options_hash
     opts = {}
 
+    if @role_arn || @role_session_name
+      @logger.warn("role_arn and role_session_name settings are not supported in the v1 plugin")
+    end
+
     if @access_key_id.is_a?(NilClass) ^ @secret_access_key.is_a?(NilClass)
       @logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
     end
@@ -51,6 +55,10 @@ module LogStash::PluginMixins::AwsConfig::V1
     # For a list, see https://github.com/aws/aws-sdk-ruby/blob/master/lib/aws/core/configuration.rb
     opts.merge!(self.aws_service_endpoint(@region))
 
+    if !@endpoint.is_a?(NilClass)
+      opts[:endpoint] = @endpoint
+    end
+
     return opts
   end # def aws_options_hash
 end

data/lib/logstash/plugin_mixins/aws_config/v2.rb

@@ -11,51 +11,63 @@ module LogStash::PluginMixins::AwsConfig::V2
   def aws_options_hash
     opts = {}
 
-    if @access_key_id.is_a?(NilClass) ^ @secret_access_key.is_a?(NilClass)
-      @logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
-    end
-
-    opts[:credentials] = credentials if credentials
-
     opts[:http_proxy] = @proxy_uri if @proxy_uri
 
-    # The AWS SDK for Ruby doesn't know how to make an endpoint hostname from a region
-    # for example us-west-1 -> foosvc.us-west-1.amazonaws.com
-    # So our plugins need to know how to generate their endpoints from a region
-    # Furthermore, they need to know the symbol required to set that value in the AWS SDK
-    # Classes using this module must implement aws_service_endpoint(region:string)
-    # which must return a hash with one key, the aws sdk for ruby config symbol of the service
-    # endpoint, which has a string value of the service endpoint hostname
-    # for example, CloudWatch, { :cloud_watch_endpoint => "monitoring.#{region}.amazonaws.com" }
-    # For a list, see https://github.com/aws/aws-sdk-ruby/blob/master/lib/aws/core/configuration.rb
+    if @role_arn
+      credentials = assume_role(opts.dup)
+      opts[:credentials] = credentials
+    else
+      credentials = aws_credentials
+      opts[:credentials] = credentials if credentials
+    end
+
     if self.respond_to?(:aws_service_endpoint)
+      # used by CloudWatch to basically do the same as bellow (returns { region: region })
       opts.merge!(self.aws_service_endpoint(@region))
     else
-      opts.merge!({ :region => @region })
+      # NOTE: setting :region works with the aws sdk (resolves correct endpoint)
+      opts[:region] = @region
     end
 
+    opts[:endpoint] = @endpoint unless @endpoint.nil?
+
     return opts
   end
 
   private
-  def credentials
-    @creds ||= begin
-                 if @access_key_id && @secret_access_key
-                   credentials_opts = {
-                     :access_key_id => @access_key_id,
-                     :secret_access_key => @secret_access_key
-                   }
-
-                   credentials_opts[:session_token] = @session_token if @session_token
-                 elsif @aws_credentials_file
-                   credentials_opts = YAML.load_file(@aws_credentials_file)
-                 end
-
-                 if credentials_opts
-                   Aws::Credentials.new(credentials_opts[:access_key_id],
-                                        credentials_opts[:secret_access_key],
-                                        credentials_opts[:session_token])
-                 end
-               end
+
+  def aws_credentials
+    if @access_key_id && @secret_access_key
+      Aws::Credentials.new(@access_key_id, @secret_access_key.value, @session_token ? @session_token.value : nil)
+    elsif @access_key_id.nil? ^ @secret_access_key.nil?
+      @logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
+      secret_access_key = @secret_access_key ? @secret_access_key.value : nil
+      Aws::Credentials.new(@access_key_id, secret_access_key, @session_token ? @session_token.value : nil)
+    elsif @aws_credentials_file
+      credentials_opts = YAML.load_file(@aws_credentials_file)
+      credentials_opts.default_proc = lambda { |hash, key| hash.fetch(key.to_s, nil) }
+      Aws::Credentials.new(credentials_opts[:access_key_id],
+                           credentials_opts[:secret_access_key],
+                           credentials_opts[:session_token])
+    else
+      nil # AWS client will read ENV or ~/.aws/credentials
+    end
+  end
+  alias credentials aws_credentials
+
+  def assume_role(opts = {})
+    unless opts.key?(:credentials)
+      credentials = aws_credentials
+      opts[:credentials] = credentials if credentials
+    end
+
+    # for a regional endpoint :region is always required by AWS
+    opts[:region] = @region
+
+    Aws::AssumeRoleCredentials.new(
+        :client => Aws::STS::Client.new(opts),
+        :role_arn => @role_arn,
+        :role_session_name => @role_session_name
+    )
   end
-end
+end

data/logstash-mixin-aws.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-mixin-aws'
-  s.version         = '4.2.2'
+  s.version         = '4.4.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "AWS mixins to provide a unified interface for Amazon Webservice"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -19,7 +19,8 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-codec-plain'
   s.add_runtime_dependency 'aws-sdk-v1', '>= 1.61.0'
-  s.add_runtime_dependency 'aws-sdk', '~> 2.3.0'
+  s.add_runtime_dependency 'aws-sdk', '~> 2'
   s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'timecop'
 end
 

data/spec/plugin_mixin/aws_config_spec.rb

@@ -2,6 +2,7 @@
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/plugin_mixins/aws_config"
 require 'aws-sdk'
+require 'timecop'
 
 class DummyInputAwsConfigV2 < LogStash::Inputs::Base
   include LogStash::PluginMixins::AwsConfig::V2
@@ -44,8 +45,10 @@ describe LogStash::PluginMixins::AwsConfig do
 
         it "should support passing as key, value, and session_token" do
           expect(subject[:access_key_id]).to eq(settings["access_key_id"])
-          expect(subject[:secret_access_key]).to eq(settings["secret_access_key"])
-          expect(subject[:session_token]).to eq(settings["session_token"])
+          expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"])
+          expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"])
+          expect(subject[:session_token]).to_not eq(settings["session_token"])
+          expect(subject[:session_token].value).to eq(settings["session_token"])
         end
       end
 
@@ -54,7 +57,8 @@ describe LogStash::PluginMixins::AwsConfig do
 
         it 'should support passing credentials as key, value' do
           expect(subject[:access_key_id]).to eq(settings['access_key_id'])
-          expect(subject[:secret_access_key]).to eq(settings['secret_access_key'])
+          expect(subject[:secret_access_key]).to_not eq(settings['secret_access_key'])
+          expect(subject[:secret_access_key].value).to eq(settings['secret_access_key'])
         end
       end
     end
@@ -78,6 +82,16 @@ describe LogStash::PluginMixins::AwsConfig do
     end
   end
 
+  describe 'config endpoint' do
+    context "endpoint provided" do
+      let(:settings) { { 'access_key_id' => '1234',  'secret_access_key' => 'secret', 'endpoint' => 'http://localhost'} }
+
+      it 'should use specified endpoint' do
+          expect(subject[:endpoint]).to eq("http://localhost")
+      end
+    end
+  end
+
   context 'when we arent providing credentials' do
     let(:settings) { {} }
     it 'should always return a hash' do
@@ -99,7 +113,7 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
 
       it 'should support reading configuration from a yaml file' do
         expect(subject.access_key_id).to eq("1234")
-        expect(subject.secret_access_key).to eq("secret")
+        expect(subject.secret_access_key).to eq("secret")   
       end
     end
 
@@ -122,6 +136,106 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
           expect(subject.secret_access_key).to eq(settings['secret_access_key'])
         end
       end
+
+      context 'role arn is provided' do
+        let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2' } }
+        let(:sts_double) { instance_double(Aws::STS::Client) }
+        let(:now) { Time.now }
+        let(:expiration) { Time.at(now.to_i + 3600) }
+        let(:temp_credentials) {
+          double(credentials:
+                  double(
+                    access_key_id: '1234',
+                    secret_access_key: 'secret',
+                    session_token: 'session_token',
+                    expiration: expiration.to_s,
+                  )
+                )
+        }
+        let(:new_temp_credentials) {
+          double(credentials:
+                  double(
+                    access_key_id: '5678',
+                    secret_access_key: 'secret1',
+                    session_token: 'session_token1',
+                    expiration: expiration.to_s,
+                  )
+                )
+        }
+
+        before do
+          allow(Aws::STS::Client).to receive(:new).and_return(sts_double)
+          allow(sts_double).to receive(:assume_role)  {
+            if Time.now < expiration
+              temp_credentials
+            else
+              new_temp_credentials
+            end
+          }
+        end
+
+        it 'supports passing role_arn' do
+          Timecop.freeze(now) do
+            expect(subject.credentials.access_key_id).to eq('1234')
+            expect(subject.credentials.secret_access_key).to eq('secret')
+            expect(subject.credentials.session_token).to eq('session_token')
+          end
+        end
+
+        it 'rotates the keys once they expire' do
+          Timecop.freeze(Time.at(expiration.to_i + 100)) do
+            expect(subject.credentials.access_key_id).to eq('5678')
+            expect(subject.credentials.secret_access_key).to eq('secret1')
+            expect(subject.credentials.session_token).to eq('session_token1')
+          end
+        end       
+      end
+
+      context 'role arn with credentials' do
+
+        let(:settings) do
+          {
+              'role_arn' => 'arn:aws:iam::012345678910:role/foo',
+              'region' => 'us-west-2',
+
+              'access_key_id' => '12345678',
+              'secret_access_key' => 'secret',
+              'session_token' => 'session_token',
+
+              'proxy_uri' => 'http://a-proxy.net:1234'
+          }
+        end
+
+        let(:aws_options_hash) { DummyInputAwsConfigV2NoRegionMethod.new(settings).aws_options_hash }
+
+        before do
+          allow_any_instance_of(Aws::AssumeRoleCredentials).to receive(:refresh) # called from #initialize
+        end
+
+        it 'uses credentials' do
+          subject = aws_options_hash[:credentials]
+          expect( subject ).to be_a Aws::AssumeRoleCredentials
+          expect( subject.client ).to be_a Aws::STS::Client
+          expect( credentials = subject.client.config.credentials ).to be_a Aws::Credentials
+          expect( credentials.access_key_id ).to eql '12345678'
+        end
+
+        it 'sets up proxy on client and region' do
+          subject = aws_options_hash[:credentials]
+          expect( subject.client.config.http_proxy ).to eql 'http://a-proxy.net:1234'
+          expect( subject.client.config.region ).to eql 'us-west-2' # probably redundant (kept for backwards compat)
+        end
+
+        it 'sets up proxy top level' do # setting in on the client isn't enough!
+          expect( aws_options_hash[:http_proxy] ).to eql 'http://a-proxy.net:1234'
+        end
+
+        it 'sets up region top-level' do
+          # NOTE: this one is required for real with role_arn :
+          expect( aws_options_hash[:region] ).to eql 'us-west-2'
+        end
+
+      end
     end
   end
 
@@ -184,4 +298,5 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
       expect(subject).to eq({ :dummy_input_aws_config_region => "us-east-1.awswebservice.local" })  
     end
   end
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-mixin-aws
 version: !ruby/object:Gem::Version
-  version: 4.2.2
+  version: 4.4.1
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-06-23 00:00:00.000000000 Z
+date: 2020-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -63,7 +63,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: '2'
   name: aws-sdk
   prerelease: false
   type: :runtime
@@ -71,7 +71,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: '2'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -86,7 +86,23 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: timecop
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
@@ -126,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.6.13
 signing_key:
 specification_version: 4
 summary: AWS mixins to provide a unified interface for Amazon Webservice