From 0106a22fc81781155b74fb100539c0ec5b4a6cd2 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Tue, 21 Feb 2023 18:36:37 -0500 Subject: [PATCH] Update the documentation to describe using symlinks for sharing web identity token file for 'repository-s3' plugin (#3021) * Update the documentation to describe using symlinks for sharing web identity token file for 'repository-s3' plugin Signed-off-by: Andriy Redko * Address review comments Signed-off-by: Andriy Redko --------- Signed-off-by: Andriy Redko --- .../snapshots/snapshot-restore.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md index 8d0d5909..6ac3c58c 100644 --- a/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md +++ b/_tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore.md @@ -157,10 +157,23 @@ Request fields | Description ``` If you don't want to configure AWS access and secret keys, modify the following `opensearch.yml` setting. Make sure the file is accessible by the `repository-s3` plugin: + ```yml s3.client.default.identity_token_file: /usr/share/opensearch/plugins/repository-s3/token ``` + If copying is not an option, you can create a symlink to the web identity token file in the `${OPENSEARCH_PATH_CONFIG}` folder: + + ``` + ln -s $AWS_WEB_IDENTITY_TOKEN_FILE "${OPENSEARCH_PATH_CONFIG}/aws-web-identity-token-file" + ``` + + You can reference the web identity token file in the following `opensearch.yml` setting by specifying the relative path that is resolved against `${OPENSEARCH_PATH_CONFIG}`: + + ```yaml + s3.client.default.identity_token_file: aws-web-identity-token-file + ``` + IAM roles require at least one of the above settings. Other settings will be taken from environment variables (if available): `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_SESSION_NAME`. 1. If you changed `opensearch.yml`, you must restart each node in the cluster. Otherwise, you only need to reload secure cluster settings: