Skip to content

Overview

Tenzir integrates with the services from Amazon Web Services (AWS) listed below.

Configuration

Section titled “Configuration”

To interact with AWS services, you need to provide appropriate credentials.

Inline credentials

Section titled “Inline credentials”

All AWS operators support an aws_iam parameter for specifying credentials directly in the pipeline:

load_sqs "my-queue", aws_iam={
  region: "us-east-1",
  access_key_id: "AKIAIOSFODNN7EXAMPLE",
  secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

You can also use the aws_iam parameter to assume an IAM role:

load_s3 "s3://my-bucket/data.json", aws_iam={
  assume_role: "arn:aws:iam::123456789012:role/MyRole",
  session_name: "tenzir-session"
}

Web identity authentication

Section titled “Web identity authentication”

For cross-cloud authentication, you can use OIDC tokens from external identity providers like Azure, Google Cloud, or custom OIDC endpoints. This approach uses the AWS AssumeRoleWithWebIdentity API to exchange an OIDC token for temporary AWS credentials.

load_s3 "s3://my-bucket/data.json", aws_iam={
  region: "us-east-1",
  assume_role: "arn:aws:iam::123456789012:role/CrossCloudRole",
  web_identity: {
    token_file: "/var/run/secrets/tokens/aws-token"
  }
}

The web_identity option supports three token sources:

  • token_file: Path to a file containing the JWT token. This is standard for Kubernetes workload identity where the platform mounts a service account token into the pod.

  • token_endpoint: Configuration for fetching tokens from an HTTP endpoint. Contains url, optional headers, and optional path for JSON extraction. Use this for Azure IMDS or similar metadata services.

  • token: Direct token value for testing or when tokens come from another source.

Credentials automatically refresh before expiration, making this suitable for long-running pipelines.

Default credential chain

Section titled “Default credential chain”

If no aws_iam parameter is specified, operators use AWS’s default credentials provider chain.

Make sure to configure AWS credentials for the same user account that runs tenzir and tenzir-node. The AWS CLI creates configuration files for the current user under ~/.aws, which can only be read by the same user account.

The tenzir-node systemd unit by default creates a tenzir user and runs as that user, meaning that the AWS credentials must also be configured for that user. The directory ~/.aws must be readable for the tenzir user.

Last updated: