vectordotdev · anil-db · Apr 30, 2025 · Apr 30, 2025 · May 12, 2025 · May 12, 2025
@@ -0,0 +1,5 @@
+Adds session token support to the aws auth options. Session token is required with access id and secret keys when using temporary credentials.
+If temporary credentials is created and supplied by another external system.
+Update to these temporary credentials can be done by external system using `SECRET` backend.
+
+authors: anil-db
@@ -71,6 +71,10 @@ pub enum AwsAuthentication {
         #[configurable(metadata(docs::examples = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"))]
         secret_access_key: SensitiveString,
 
+        /// The AWS session token.
+        #[configurable(metadata(docs::examples = "AQoDYXdz...AQoDYXdz..."))]
+        session_token: Option<SensitiveString>,
+
         /// The ARN of an [IAM role][iam_role] to assume.
         ///
         /// [iam_role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
@@ -275,11 +279,12 @@ impl AwsAuthentication {
                 external_id,
                 region,
                 session_name,
+                session_token,
             } => {
                 let provider = SharedCredentialsProvider::new(Credentials::from_keys(
                     access_key_id.inner(),
                     secret_access_key.inner(),
-                    None,
+                    session_token.clone().map(|v| v.inner().into()),
                 ));
                 if let Some(assume_role) = assume_role {
                     let auth_region = region.clone().map(Region::new).unwrap_or(service_region);
@@ -372,6 +377,7 @@ impl AwsAuthentication {
             external_id: None,
             region: None,
             session_name: None,
+            session_token: None,
         }
     }
 }

@@ -364,6 +364,11 @@ base: configuration: configuration: {
 														"""
 						required: false
 					}
+					session_token: {
+						type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+						description: "The AWS session token."
+						required:    false
+					}
 					credentials_file: {
 						type: string: examples: ["/my/aws/credentials"]
 						description: "Path to the credentials file."

@@ -139,6 +139,11 @@ base: components: sinks: aws_cloudwatch_logs: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	batch: {

@@ -139,6 +139,11 @@ base: components: sinks: aws_cloudwatch_metrics: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	batch: {

@@ -139,6 +139,11 @@ base: components: sinks: aws_kinesis_firehose: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	batch: {

@@ -139,6 +139,11 @@ base: components: sinks: aws_kinesis_streams: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	batch: {

@@ -214,6 +214,11 @@ base: components: sinks: aws_s3: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	batch: {

@@ -139,6 +139,11 @@ base: components: sinks: aws_sns: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	encoding: {

@@ -139,6 +139,11 @@ base: components: sinks: aws_sqs: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	encoding: {

@@ -182,6 +182,12 @@ base: components: sinks: elasticsearch: configuration: {
 				required:      false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description:   "The AWS session token."
+				relevant_when: "strategy = \"aws\""
+				required:      false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 			strategy: {
 				description: """
 					The authentication strategy to use.

@@ -155,6 +155,12 @@ base: components: sinks: prometheus_remote_write: configuration: {
 				required:      false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description:   "The AWS session token."
+				relevant_when: "strategy = \"aws\""
+				required:      false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 			strategy: {
 				description: "The authentication strategy to use."
 				required:    true

@@ -134,6 +134,11 @@ base: components: sources: aws_s3: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	compression: {

@@ -134,6 +134,11 @@ base: components: sources: aws_sqs: configuration: {
 				required: false
 				type: string: examples: ["vector-indexer-role"]
 			}
+			session_token: {
+				description: "The AWS session token."
+				required:    false
+				type: string: examples: ["AQoDYXdz...AQoDYXdz..."]
+			}
 		}
 	}
 	client_concurrency: {