Connecting to AWS OpenSearch with ARN

[wmashal]

Hi,

Are there any examples demonstrating how to connect to AWS OpenSearch using an ARN instead of a username and password?

In our deployments, we typically connect pods to AWS services by creating a Role and RoleBinding with a master user ARN.

However, in the Jaeger production strategy and Elasticsearch storage configurations, I only see options for username and password authentication.

Could you please provide guidance or examples on how to use ARN-based authentication for OpenSearch connections in Jaeger?

If I am creating service account with the ARN the refrence it in the configurations like the following ? it works ?

  jaeger:
    spec:
      strategy: production    # Change to production strategy instead of allInOne
      collector:
        serviceAccount: jaeger-collector
        options:
          log-level: info
        annotations:
          sidecar.istio.io/inject: "true"
      query:
        serviceAccount: jaeger-collector 
        options:
          log-level: info
        annotations:
          sidecar.istio.io/inject: "true"
      ingester:
        serviceAccount: jaeger-collector
        options:
          log-level: info
        annotations:
          sidecar.istio.io/inject: "true"
      storage:
        type: elasticsearch
        options:
          es:
            log-level: info
            server-urls: https://<domain> 
            usePassword: false
            nodesWanOnly: false
            tls:
              skip-host-verify: true

Thanks!

[dosubot[bot]]

Hey @wmashal! 👋 I'm here to help you with your AWS OpenSearch question. I'm a bot that can assist with bug fixes, answer questions, and help you become a contributor while you wait for a human maintainer.

Currently, Jaeger's Elasticsearch storage configuration supports authentication mechanisms such as TLS with mTLS (client certificate authentication) and bearer token propagation ^[1]. However, there is no specific mention or example in the Jaeger documentation or codebase for using ARN-based authentication with AWS OpenSearch. The existing configuration options primarily focus on basic authentication and bearer token authentication ^[2].

If ARN-based authentication is essential for your deployment, you might need to implement a custom solution or explore using AWS IAM roles in conjunction with other tools or services that can bridge this gap.

To continue talking to Dosu, mention @dosu.