AWS Opensearch(es) assume_role auth not working

[nic-igaw]

Hi,
I've created AWS ECS cluster of vector applications that basically takes log data via http_server and reroutes the data to AWS Opensearch, but the aws authentication assume_role option is giving me a terrible time and it'd be lovely if I can get any help or insight regarding this issue.

Below are the config specifications that I've used:

I've created a task role(vector-task-role) with appropriate trusted relationship settings

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

and set in my vector config to assume the same iam role as the one I've given the task:

# input sources to vector
sources:
  logs_http:
    type: http_server
    method: "POST"
    address: "0.0.0.0:80"
    path: "/logs/http"
    encoding: "json"

# output location from vector
sinks:
  output_opensearch:
    type: elasticsearch
    inputs:
      - logs_http
    endpoints:
      - [redacted_es_endpoint]
    aws:
      region: "ap-northeast-2"
    bulk:
      index: "{{ .application_name }}-%Y%m%d"
    # ES health check
    healthcheck:
      enabled: false
    auth:
      strategy: "aws"
      assume_role: "arn:aws:iam::[redacted_account_no]:role/vector-task-role"
      region: "ap-northeast-2"

This is the error message I get:

<Code>AccessDenied</Code>\n    <Message>User: arn:aws:sts::[redacted_account_no]:assumed-role/vector-task-role/bd70121139e84e788534139edd9e4e4c is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[redacted_account_no]:role/vector-task-role</Message>

I've went through all the permissions in the vector-task-role and event gave it all permission just to see if there was something wrong on my end, but it still wouldn't work.

Does this error have to do with the aws sdk vector uses?

Any help would be delightful.

Thanks!

[nic-igaw]

To anyone dealing with a similar problem,
I've solved the problem by removing all the aws auth related config lines.

I thought that auth.strategy HAS to be "aws" since I'm working with AWS Opensearch, not Elasticsearch,
which then prevents vector application bootup by saying "missing required AWS auth enum".
(not the exact message, but once auth.strategry="aws" is set, you need to either fill in the access_key infos or credential file location or arn of the role you wish vector application to assume)

Since the vector application runs on AWS infrastucture(ECS) and vector application uses official Rust AWS SDK,
it'll probably assume the roles naturally, meaning I shouldn't have to set any aws auth related configs.
More specifically saying, the vector docker container should run with the roles injected by the one AWS ECS Task has.

Hope this helps anyone from reading loads of github discussions and issues or official docs. :)