Add Snapshot IRSA insturctions (#782)

* Support use of IRSA for repository-s3 plugin credentials

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Addressing review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Addressing review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Addressing review comments

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>

* Add IRSA snapshot instructions

Signed-off-by: Naarcha-AWS <naarcha@amazon.com>

* Remove old changes. Update nav

Signed-off-by: Naarcha-AWS <naarcha@amazon.com>

Co-authored-by: Andriy Redko <andriy.redko@aiven.io>
This commit is contained in:
Naarcha-AWS 2022-07-07 14:21:38 -05:00 committed by GitHub
parent f49b919f46
commit 7c8a5881e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions

View File

@ -26,6 +26,7 @@ If you need to delete a snapshot, be sure to use the OpenSearch API rather than
---
## Register repository
Before you can take a snapshot, you have to "register" a snapshot repository. A snapshot repository is just a storage location: a shared file system, Amazon S3, Hadoop Distributed File System (HDFS), Azure Storage, etc.
@ -142,8 +143,23 @@ Setting | Description
s3.client.default.proxy.port: 8080 # port for your proxy server
s3.client.default.read_timeout: 50s # the S3 connection timeout
s3.client.default.use_throttle_retries: true # whether the client should wait a progressively longer amount of time (exponential backoff) between each successive retry
s3.client.default.region: us-east-2 # AWS region to use
```
1. (Optional) If you don't want to use AWS access and secret keys, you could configure the S3 plugin to use AWS Identity and Access Management (IAM) roles for service accounts:
```bash
sudo ./bin/opensearch-keystore add s3.client.default.role_arn
sudo ./bin/opensearch-keystore add s3.client.default.role_session_name
```
If you don't want to configure AWS access and secret keys, modify the following `opensearch.yml` setting. Make sure the file is accessible by the `repository-s3` plugin:
```yml
s3.client.default.identity_token_file: /usr/share/opensearch/plugins/repository-s3/token
```
IAM roles require at least one of the above settings. Other settings will be taken from environment variables (if available): `AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_SESSION_NAME`.
1. If you changed `opensearch.yml`, you must restart each node in the cluster. Otherwise, you only need to reload secure cluster settings:
```