S3 Ingest Self-hosted Preparation
Configuring S3 ingest feed for self install requires some additional steps to grant the required access and enable ingest feeds.
Create an IAM Role in AWS. This role will need permissions allowing
sts:AssumeRole
on the roles that will be used for AWS S3 ingest.The following are examples of the trust and permission policies which must be applied to the role in AWS.
Trust policy for the IAM role
{ "Version": "2012-10-17", "Statement": [ { "Sid": "TrustLogScale", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/example-logscale-user" }, "Action": "sts:AssumeRole" } ] }
Permission policy for the IAM role
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAssumingAllRoles", "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/*" } ] }
Configure the
INGEST_FEED_AWS_ROLE_ARN
environment variable with the ARN of the Role that LogScale should assume.LogScale must be configured with AWS credentials. LogScale will resolve AWS credentials by (in order of precedence):
Reading the
INGEST_FEED_AWS_ACCESS_KEY_ID
andINGEST_FEED_SECRET_ACCESS_KEY
environment variables.Using the provider chain applied by LogScale is documented here:Default Credentials Provider Chain from the AWS Java SDK, note that we do not apply step 2 (Environment Variables).