I'm trying to setup a simple input to ingest our AWS billing data into Splunk. Our AWS billing data is stored in an S3 bucket in our parent AWS account, the Splunk HF and indexer are in another 'non prod' account which we access via switch roles.
In order to pull the data into Splunk I have configured a role in the parent account and allowed the EC2 role applied to the Splunk instance, permissions to assume it. However when I configure the Input via the AWS add on I get the following error when it tries to return a list of buckets ' Error in processing the request'
I've tested calling the sts:assumerole operation from the splunk server and I can access the bucket with no problems. So i'm reasonably confident it's not connectivity or permissions. I also can't seem to find any kind of logs to provide further detail on what the issue is - I have checked
var/log/splunk/splunk_ta_aws_aws_billing_cur_AwsBilling.log . (i've also tried setting the logging level to ERROR and DEBUG
However I can't find any errors at all, can anyone advise how we might debug this further?