Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using an IAM role with AWS SQS-Based S3 Input

rpersaud
New Member
‎09-15-2020 02:37 PM

Hello,

I would like to use an IAM Role with the AWS SQS-Based S3 Input.  My particulars:

Splunk Cloud
Version:
7.2.9
Build: 2dc56eaf3546


Splunk Add-on for AWS
Version:
4.6.1
Build:
14

Note, this is on an IDM.  Based on other community posts, it appears that I would need to complete the following steps:

-Create the IAM role (R) in my account (AC) with the necessary permissions
-Create a user (U) in AC that can assume R
-Add U's Access Key Identifier, and Access Key as an account (A) under Configurations -> Account.
-Add R as an IAM role (I) under Configurations -> IAM Role

So my question is, on the following screen, would I specify A for 'The name of AWS account' and I as "The name of IAM user would be assumed" (shouldn't this be labeled "The name of IAM Role to assume"?)?  Is there a more direct way to accomplish this e.g., the Splunk add-on directly assuming the role?

Screen Shot 2020-09-15 at 3.19.27 PM.png

Labels (1)
Labels
0 Karma
Reply

tsmit
Splunk Employee
Splunk Employee
‎09-15-2020 04:10 PM

Hello  rpersaud!

I just fired up my handy AWS/Splunk box to take a look. I'd suggest navigating to the Splunk Add-On for AWS and add the input there. You'll note from the screenshot I attached that the "Assume Role" is optional. I think the UI presents better as well. If there is a ROLE that you would want to assume, you could place it here, but the IAM account that is used will be the same one you setup your Account with in the Splunk Add-On.

 

2020-09-15_19-01-02.png

 

-Tom 

0 Karma
Reply

rpersaud
New Member
‎09-15-2020 04:35 PM

@tsmit, thanks for the quick reply.  From the Inputs tab, I am able to see the more informative UI that you included in your screenshot. 

I'm not sure what you mean by "the same one you setup your Account with in the Splunk Add-On."  We have a couple of  AWS accounts that are currently being used by AWS SQS-Based S3 Inputs.  They were setup from the Configuration -> Account page, and appear in the 'AWS Account' drop down.  Presumably, I could setup another account with the appropriate permissions to assume a role, and then specify that account and the role for 'AWS Account' and 'Assume Role', respectively.  However, if an IAM user is required to assume a role, then it probably makes sense to just attach the policy directly to the user since we lose the advantages of using an IAM role.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...