[Kubernetes]: AWS authentication variables not declared in audit_logs manifest

[andrewkroh]

Integration Name

Kubernetes [kubernetes]

Dataset Name

kubernetes.audit_logs

Integration Version

1.84.0

Agent Version

N/A (configuration issue)

Agent Output Type

elasticsearch

Elasticsearch Version

N/A (configuration issue)

OS Version and Architecture

N/A (affects all platforms)

Software/API Version

AWS EKS (all versions)

Error Message

N/A - Configuration validation issue

Event Original

N/A

What did you do?

Reviewed the Kubernetes integration's audit_logs data stream configuration for the aws-cloudwatch input. The Handlebars template file references AWS authentication variables that are not declared in the manifest.

Template file: packages/kubernetes/data_stream/audit_logs/agent/stream/aws-cloudwatch.yml.hbs

Manifest file: packages/kubernetes/data_stream/audit_logs/manifest.yml

What did you see?

The template file (aws-cloudwatch.yml.hbs) references the following AWS authentication variables on lines 63-89:

• credential_profile_name (line 64)
• shared_credential_file (line 67)
• api_timeout (line 70)
• default_region (line 73)
• access_key_id (line 76)
• secret_access_key (line 79)
• session_token (line 82)
• role_arn (line 84)
• proxy_url (line 88)

None of these variables are declared in the manifest file (manifest.yml), which only defines CloudWatch-specific variables like log_group_arn, log_group_name, etc.

What did you expect to see?

According to the project's best practices:

Variables referenced in Handlebars must be declared in manifests: Check that any variable referenced in the Handlebars template is declared in the package's manifest. Any undeclared variable is definitely an error.

All variables used in the Handlebars template should be properly declared in the manifest file with appropriate metadata (type, title, description, show_user, required, secret flags, etc.).

This is particularly important for:

• role_arn - Critical for IAM role assumption in cross-account or restricted access scenarios
• access_key_id and secret_access_key - Should be marked as secret: true
• Other AWS authentication configuration options

Users currently cannot configure these AWS authentication options through the Fleet UI, which limits the integration's usability for common AWS authentication patterns.

Anything else?

Impact:

• Users cannot configure IAM role assumption (role_arn) for cross-account access or pod-level IAM roles
• Users cannot configure alternative AWS credential methods
• The integration works only with default AWS credential chain, limiting deployment flexibility

Recommended Fix:
Add proper variable declarations to the manifest file for all AWS authentication variables, following the patterns used in other AWS integrations in this repository. Variables like access_key_id, secret_access_key, and session_token should be marked with secret: true.

Related Package: @elastic/obs-ds-hosted-services (per CODEOWNERS)

[github-actions]

Claude finished @andrewkroh's task in 2m 49s —— View job

---

Analysis Complete

TL;DR: The issue is confirmed. The Kubernetes audit_logs data stream for the aws-cloudwatch input references 9 AWS authentication variables in the template that are not declared anywhere in the manifest hierarchy. This prevents users from configuring AWS authentication through the Fleet UI when collecting EKS audit logs via CloudWatch.

---

Recommendation

Add AWS authentication variables to the Kubernetes package-level manifest (packages/kubernetes/manifest.yml) similar to how aws_logs package handles them. This ensures:

1. All variables referenced in the template are declared
2. Variables are reusable if other data streams need AWS authentication
3. Consistent pattern with other AWS-related integrations

---

Findings

Confirmed Missing Variables

The template file aws-cloudwatch.yml.hbs references these undeclared variables:

Variable	Line	Secret?	Notes
credential_profile_name	64	No	Credential profile name
shared_credential_file	67	No	Path to credentials file
api_timeout	70	No	API timeout setting
default_region	73	No	Default AWS region
access_key_id	76	Yes	AWS access key
secret_access_key	79	Yes	AWS secret key
session_token	82	Yes	AWS session token
role_arn	84	No	IAM role for assumption
proxy_url	88	No	Proxy URL

Bug Origin

The bug was introduced in PR #14554 (commit f90519beee, August 2025), which added cloud provider support for audit logs. The template included AWS variable references, but the manifest declarations were never added.

Pattern Analysis

• AWS package (packages/aws/manifest.yml:35-97): Declares AWS auth vars at package level
• aws_logs package (packages/aws_logs/manifest.yml:31-94): Declares AWS auth vars at package level
• Kubernetes package (packages/kubernetes/manifest.yml): No AWS auth vars declared anywhere

Additional Finding: api_timeput Typo

The manifest at line 87 has api_timeput instead of api_timeout. However, this typo exists in 19 other files across the repository and appears to be a pre-existing widespread issue (separate from this bug).

Detailed Action Plan

Step 1: Add AWS authentication variables to Kubernetes package manifest

Edit packages/kubernetes/manifest.yml to add package-level vars section (after line 23, before policy_templates):

vars:
  - name: shared_credential_file
    type: text
    title: Shared Credential File
    multi: false
    required: false
    show_user: false
    description: Directory of the shared credentials file
  - name: credential_profile_name
    type: text
    title: Credential Profile Name
    multi: false
    required: false
    show_user: false
  - name: access_key_id
    type: password
    title: Access Key ID
    secret: true
    multi: false
    required: false
    show_user: true
  - name: secret_access_key
    type: password
    title: Secret Access Key
    secret: true
    multi: false
    required: false
    show_user: true
  - name: session_token
    type: password
    title: Session Token
    secret: true
    multi: false
    required: false
    show_user: true
  - name: role_arn
    type: text
    title: Role ARN
    multi: false
    required: false
    show_user: false
    description: ARN of the IAM role to assume when collecting logs
  - name: default_region
    type: text
    title: Default AWS Region
    multi: false
    required: false
    show_user: false
    default: ""
    description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile.
  - name: proxy_url
    type: text
    title: Proxy URL
    multi: false
    required: false
    show_user: false
    description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>

Step 2: Fix the api_timeout variable declaration

In packages/kubernetes/data_stream/audit_logs/manifest.yml, change line 87 from:

      - name: api_timeput

to:

      - name: api_timeout

Step 3: Update the changelog

Add an entry to packages/kubernetes/changelog.yml:

- version: "1.85.0"
  changes:
    - description: Add AWS authentication variables for CloudWatch input in audit_logs
      type: bugfix
      link: https://github.com/elastic/integrations/issues/17196

Step 4: Run validation

cd packages/kubernetes
elastic-package check
elastic-package build

Step 5: Test the integration

Verify the variables appear in Fleet UI when configuring the aws-cloudwatch input for audit_logs.

---

Related Issues and Pull Requests

Repository	Issue or PR	Relevance
elastic/integrations	#14554 - Kubernetes.audit_logs: add support for cloud providers	Introduced the bug - added template with AWS vars but omitted manifest declarations
elastic/integrations	#5799 - Create a new datastream for Ingesting EKS Audit Logs	Original feature request that led to PR #14554

Related Files

Repository	File	Relevance	Sections
elastic/integrations	aws-cloudwatch.yml.hbs	Template file referencing undeclared AWS variables	63-89
elastic/integrations	audit_logs manifest.yml	Data stream manifest missing AWS variable declarations	14-136
elastic/integrations	kubernetes manifest.yml	Package manifest where AWS vars should be added	242-269
elastic/integrations	aws_logs manifest.yml	Reference implementation for AWS auth var declarations	31-94
elastic/integrations	aws manifest.yml	Another reference for AWS auth variable patterns	35-97

Related Webpages

Name	URL	Relevance
Variables referenced in Handlebars must be declared in manifests	https://github.com/elastic/integrations/wiki/Fleet-Package-Code-Review-Comments#variables-referenced-in-handlebars-must-be-declared-in-manifests	Project best practice documenting this requirement

---

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[andrewkroh]

@claude Implement the fixes that you outlined and open a PR.

[github-actions]

Claude finished @andrewkroh's task in 2m 5s —— View job • claude/issue-17196-20260202-1622 • Create PR ➔

---

Implementation Complete

• Read repository guidelines (CLAUDE.md)
• Read current manifest files to understand structure
• Add AWS authentication variables to Kubernetes package manifest
• Fix api_timeput typo in audit_logs manifest
• Update changelog
• Run validation with elastic-package check
• Commit and push changes
• Create PR

Summary

Successfully implemented the fixes for the missing AWS authentication variables in the Kubernetes integration's audit_logs data stream:

Changes made:

1. Added AWS authentication variables to packages/kubernetes/manifest.yml at the package level:

   • shared_credential_file - Directory of the shared credentials file
   • credential_profile_name - Credential profile name
   • access_key_id - AWS access key (marked as secret)
   • secret_access_key - AWS secret key (marked as secret)
   • session_token - AWS session token (marked as secret)
   • role_arn - IAM role ARN for role assumption
   • default_region - Default AWS region
   • proxy_url - Proxy URL for connections

2. Fixed typo in packages/kubernetes/data_stream/audit_logs/manifest.yml:

   • Changed api_timeput to api_timeout (line 87)

3. Updated changelog and bumped version to 1.85.0

4. Validation passed with elastic-package check

--- |

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.