Skip to main content

IAM keys

IAM keys serve multiple purposes in Imply Lumi. You use IAM keys to send events to Imply Lumi or configure federated search from Splunk®.

An IAM key designates permissions for sending or searching events. When used for sending events, it enriches incoming events to Imply Lumi with global and integration-specific attributes.

You can use the same IAM key for multiple applications. To authorize an IAM key for a specific use case, add the integration to the IAM key. When you add the integration, you can set any attributes specific to that integration.

This topic provides reference information on IAM keys. For details on creating and managing IAM keys, see Manage IAM keys.

IAM key descriptors

You can specify the following descriptors when you create an IAM key:

  • Name: Only the name is required to create an IAM key. The name uniquely identifies the IAM key.
  • Description (optional): Description for the IAM key.

When you create an IAM key, Imply Lumi provides the following information associated with the key:

  • ID: A universally unique identifier (UUID) for the IAM key. For example, 7887140b-7707-4845-8aa3-a17095e00000.
  • Token: Credentials associated with the IAM key. For example, 229a2561-0000-0000-0000-bc433de16f89.

Attributes on an IAM key

An IAM key in Imply Lumi can store global attributes as well as integration-specific attributes.

Global attributes apply to all incoming events regardless of integration. You can configure environment and team global attributes on any IAM key. These attributes are system attributes that only apply within the scope of Imply Lumi.

Integration-specific attributes only pertain to the specific integration for which you use the key. You may be able to set IAM key attributes for multiple integrations, but Imply Lumi only enriches events with the attributes pertaining to the application that sends the events.

If you set user attributes on raw events or by upstream agents, those values take precedence over any corresponding attributes on the IAM key. For example, an event that has the source attribute will be enriched with the value from the event, rather than the source value on the IAM key.

You can set these attributes on the IAM key when you create it, or you can edit an existing key to update its attributes. Follow the steps to update an IAM key.

For more information on attributes, see Event components.

Integrations

This section lists the integrations that require an IAM key. To use an IAM key for a certain integration, add the integration to the key and configure any attributes specific to that integration. For details on creating and managing IAM keys, see Manage IAM keys.

HEC

An IAM key can authenticate requests to send events to Imply Lumi using HEC.

Attributes

To view the attributes you can configure on the IAM key, see Set HEC attributes.

Authentication

To use an IAM key for HEC, you need the IAM key token.

S3 ingest actions

An IAM key can authenticate requests to send events to Imply Lumi using S3 ingest actions.

Attributes

The only attributes on an IAM key that apply to S3 ingest actions are the global system attributes for environment and team.

Authentication

To use an IAM key for S3 ingest actions, you need the following information:

  • Access key ID: IAM key ID
  • Secret access key: IAM key token

You can use an IAM key to configure federated search in Splunk.

Attributes

No IAM key attributes pertain to Splunk federated search.

Authentication

To use an IAM key for Splunk federated search, you need the following information:

  • Service account username: IAM key ID
  • Service account password: IAM key token

Splunk S2S

An IAM key can authenticate requests to send events to Imply Lumi using Splunk S2S.

Attributes

To view the attributes you can configure on the IAM key, see Splunk S2S attributes.

Authentication

To use an IAM key for Splunk S2S, you need the IAM key token.