Skip to main content

IAM keys

IAM keys serve multiple purposes in Imply Lumi. You use IAM keys to send events to Imply Lumi or configure federated search from Splunk®.

An IAM key designates permissions for sending or searching events. When used for sending events, it enriches incoming events to Imply Lumi with global and integration-specific attributes.

You can use the same IAM key for multiple applications. If you assign integration-specific attributes on an IAM key, the attributes only apply when you use the key for that integration.

This topic provides reference information on IAM keys. For details on creating and managing IAM keys, see Manage IAM keys.

IAM key descriptors

You can specify the following descriptors when you create an IAM key:

  • Name: Only the name is required to create an IAM key. The name uniquely identifies the IAM key.
  • Description (optional): Description for the IAM key.

When you create an IAM key, Imply Lumi provides the following information associated with the key:

  • ID: A universally unique identifier (UUID) for the IAM key. For example, 7887140b-7707-4845-8aa3-a17095e00000.
  • Token: Credentials associated with the IAM key. For example, 229a2561-0000-0000-0000-bc433de16f89.

Attributes on an IAM key

An IAM key in Imply Lumi can store global attributes as well as integration-specific attributes.

Global attributes apply to all incoming events regardless of integration. You can configure environment and team global attributes on any IAM key. These attributes are system attributes that only apply within the scope of Imply Lumi.

Integration-specific attributes only pertain to the specific integration for which you use the key. You may be able to set IAM key attributes for multiple integrations, but Imply Lumi only enriches events with the attributes pertaining to the application that sends the events.

If you set user attributes on raw events or by upstream agents, those values take precedence over any corresponding attributes on the IAM key. For example, an event that has the source attribute will be enriched with the value from the event, rather than the source value on the IAM key.

You can set these attributes on the IAM key when you create it, or you can edit an existing key to update its attributes. Follow the steps to update an IAM key.

For more information on event attributes, see Event components.

Applications

This section lists details specific to each application that uses an IAM key from Imply Lumi.

HEC

An IAM key can authenticate requests to send events to Imply Lumi using HEC.

Attributes

To view the attributes you can configure on the IAM key, see Set HEC attributes.

Authentication

For HEC, you need the following information from the IAM key:

  • Token: IAM key token

S3 ingest actions

An IAM key can authenticate requests to send events to Imply Lumi using S3 ingest actions.

Attributes

The only attributes on an IAM key that apply to S3 ingest actions are the global system attributes for environment and team.

Authentication

For S3 ingest actions, you need the following information from the IAM key:

  • Access key ID: IAM key ID
  • Secret access key: IAM key token

You can use an IAM key to configure federated search in Splunk.

Attributes

There are no IAM key attributes that pertain to Splunk federated search.

Authentication

For Splunk federated search, you need the following information from the IAM key:

  • Service account username: IAM key ID
  • Service account password: IAM key token

Splunk TCP

An IAM key can authenticate requests to send events to Imply Lumi using Splunk TCP.

Attributes

To view the attributes you can configure on the IAM key, see Splunk TCP attributes.

Authentication

For Splunk TCP, you need the following information from the IAM key:

  • Token: IAM key token