IAM keys
IAM keys serve multiple purposes in Imply Lumi. You use IAM keys to send events to Imply Lumi or configure federated search from Splunk®.
An IAM key designates permissions for sending or searching events. When used for sending events, it enriches incoming events to Imply Lumi with global and integration-specific attributes.
You can use the same IAM key for multiple applications. To authorize an IAM key for a specific use case, add the integration to the IAM key. When you add the integration, you can set any attributes specific to that integration.
This topic provides reference information on IAM keys. For details on creating and managing IAM keys, see Manage IAM keys.
IAM key descriptors
You can specify the following descriptors when you create an IAM key:
- Name: Only the name is required to create an IAM key. The name uniquely identifies the IAM key.
- Description (optional): Description for the IAM key.
When you create an IAM key, Imply Lumi provides the following information associated with the key:
- ID: A universally unique identifier (UUID) for the IAM key. For example,
7887140b-7707-4845-8aa3-a17095e00000
. - Token: Credentials associated with the IAM key. For example,
229a2561-0000-0000-0000-bc433de16f89
.
Attributes on an IAM key
An IAM key in Imply Lumi can store global attributes as well as integration-specific attributes.
Global attributes apply to all incoming events regardless of integration. You can configure environment and team global attributes on any IAM key. These attributes are system attributes that only apply within the scope of Imply Lumi.
Integration-specific attributes only pertain to the specific integration for which you use the key. You may be able to set IAM key attributes for multiple integrations, but Imply Lumi only enriches events with the attributes pertaining to the application that sends the events.
If you set user attributes on raw events or by upstream agents, those values take precedence over any corresponding attributes on the IAM key.
For example, an event that has the source
attribute will be enriched with the value from the event, rather than the source
value on the IAM key.
You can set these attributes on the IAM key when you create it, or you can edit an existing key to update its attributes. Follow the steps to update an IAM key.
For more information on attributes, see Event components.
Integrations
This section lists the integrations that require an IAM key. To use an IAM key for a certain integration, add the integration to the key and configure any attributes specific to that integration. For details on creating and managing IAM keys, see Manage IAM keys.
HEC
An IAM key can authenticate requests to send events to Imply Lumi using HEC.
Attributes
To view the attributes you can configure on the IAM key, see Set HEC attributes.
Authentication
To use an IAM key for HEC, you need the IAM key token.
S3 ingest actions
An IAM key can authenticate requests to send events to Imply Lumi using S3 ingest actions.
Attributes
The only attributes on an IAM key that apply to S3 ingest actions are the global system attributes for environment and team.
Authentication
To use an IAM key for S3 ingest actions, you need the following information:
- Access key ID: IAM key ID
- Secret access key: IAM key token
Splunk federated search
You can use an IAM key to configure federated search in Splunk.
Attributes
No IAM key attributes pertain to Splunk federated search.
Authentication
To use an IAM key for Splunk federated search, you need the following information:
- Service account username: IAM key ID
- Service account password: IAM key token
Splunk S2S
An IAM key can authenticate requests to send events to Imply Lumi using Splunk S2S.
Attributes
To view the attributes you can configure on the IAM key, see Splunk S2S attributes.
Authentication
To use an IAM key for Splunk S2S, you need the IAM key token.