opensearch: aoss authentication support

Signed-off-by: Matthew Fala <falamatt@amazon.com>
fluent · Dec 23, 2022 · 1bfba07 · 1bfba07
1 parent 9c38c5c
commit 1bfba07
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/plugins/out_opensearch/opensearch.c b/plugins/out_opensearch/opensearch.c
@@ -58,8 +58,8 @@ static flb_sds_t add_aws_auth(struct flb_http_client *c,
     flb_http_add_header(c, "User-Agent", 10, "aws-fluent-bit-plugin", 21);
 
     signature = flb_signv4_do(c, FLB_TRUE, FLB_TRUE, time(NULL),
-                              ctx->aws_region, "es",
-                              0, NULL,
+                              ctx->aws_region, ctx->aws_service_name,
+                              S3_MODE_SIGNED_PAYLOAD, ctx->aws_unsigned_headers,
                               ctx->aws_provider);
     if (!signature) {
         flb_plg_error(ctx->ins, "could not sign request with sigv4");
@@ -1063,6 +1063,11 @@ static struct flb_config_map config_map[] = {
      0, FLB_FALSE, 0,
      "External ID for the AWS IAM Role specified with `aws_role_arn`"
     },
+    {
+     FLB_CONFIG_MAP_STR, "aws_service_name", "es",
+     0, FLB_TRUE, offsetof(struct flb_opensearch, aws_service_name),
+     "AWS Service Name"
+    },
 #endif
 
     /* Logstash compatibility */

diff --git a/plugins/out_opensearch/opensearch.h b/plugins/out_opensearch/opensearch.h
@@ -75,6 +75,8 @@ struct flb_opensearch {
     /* one for the standard chain provider, one for sts assume role */
     struct flb_tls *aws_sts_tls;
     char *aws_session_name;
+    char *aws_service_name;
+    struct mk_list *aws_unsigned_headers;
 #endif
 
     /* HTTP Client Setup */

diff --git a/plugins/out_opensearch/os_conf.c b/plugins/out_opensearch/os_conf.c
@@ -215,6 +215,19 @@ struct flb_opensearch *flb_os_conf_create(struct flb_output_instance *ins,
     }
 
 #ifdef FLB_HAVE_AWS
+    /* AWS Auth Unsigned Headers */
+    ctx->aws_unsigned_headers = flb_malloc(sizeof(struct mk_list));
+    if (!ctx->aws_unsigned_headers) {
+        flb_os_conf_destroy(ctx);
+        return NULL;
+    }
+    flb_slist_create(ctx->aws_unsigned_headers);
+    ret = flb_slist_add(ctx->aws_unsigned_headers, "Content-Length");
+    if (ret != 0) {
+        flb_os_conf_destroy(ctx);
+        return NULL;
+    }
+
     /* AWS Auth */
     ctx->has_aws_auth = FLB_FALSE;
     tmp = flb_output_get_property("aws_auth", ins);
@@ -364,6 +377,11 @@ int flb_os_conf_destroy(struct flb_opensearch *ctx)
     if (ctx->aws_sts_tls) {
         flb_tls_destroy(ctx->aws_sts_tls);
     }
+
+    if (ctx->aws_unsigned_headers) {
+        flb_slist_destroy(ctx->aws_unsigned_headers);
+        flb_free(ctx->aws_unsigned_headers);
+    }
 #endif
 
     if (ctx->ra_prefix_key) {