IAM keys

AI summary

Explains how Imply Lumi uses IAM keys to authenticate external applications for sending and searching events. Covers key privileges, default attributes, and how they interact with pipelines. Describes when to reuse keys across multiple integrations.

About AI summaries.

Imply Lumi uses Identity and Access Management (IAM) keys for authentication and authorization of external applications to send events to Lumi and to search Lumi data.

When you create an IAM key, Lumi provides the following details associated with the key:

• ID: A universally unique identifier (UUID) for the IAM key.
  For example, 7887140b-7707-4845-8aa3-a17095e00000.
• Token: Credentials associated with the IAM key.
  For example, 229a2561-0000-0000-0000-bc433de16f89.

This topic is designed to help you understand how IAM keys work in Lumi.

info

Lumi doesn't support creating IAM keys for administrative purposes.

Workflow

When you configure an integration in Lumi, you typically go through a workflow like the following:

1. Access the Integrations page and select the integration to configure.
2. Select or create an IAM key.
3. Assign any IAM key attributes.
4. Complete the integration setup.
5. Send or search events.

Understanding how a key works can help you determine if IAM key attributes apply to your use case, how to assign them if so, and whether to create or reuse an IAM key.

IAM key privileges

An IAM key only has access to the integrations that you enable for it. When you create a key from an integration tile, Lumi automatically enables the integration for you. If you create a key from the Keys page, it has no privileges by default and you have to enable the integration you intend to use with it.

You can't use the same key for a different integration until you update the key to enable it.

IAM key attributes

Integrations in Lumi serve one of two purposes: send or search events.

• Integrations for sending events are known as ingestion integrations. IAM key attributes for these integrations can enrich events with system and user attributes. They can also configure how Lumi receives and parses incoming events.

• Integrations for searching events are known as application integrations. IAM key attributes for these integrations can translate user attribute names and limit access to Lumi data from an external application.

IAM key attributes store settings specific to that combination of key and integration. Attributes vary by integration, and some integrations don't use any IAM key attributes.

User attribute defaults

For some ingestion integrations, you can define default values for index, source, and sourcetype. These correlate to the same properties from Splunk® default fields. When you assign these attributes on an IAM key, Lumi creates the user attributes if they don't already exist from on an incoming event.

Overlap with pipelines

You can assign user attributes using a pipeline in addition to, or instead of, setting IAM key attributes. Values set by a pipeline always take precedence. For example, if you set the default source as app1 using an IAM key attribute and also assign source as app2 in a pipeline, the event stores source: app2.

The IAM key attributes are placeholders to use when your forwarding agent or pipeline doesn't explicitly set them. Even if you don't manually configure a pipeline to process events, your events may store or reassign these attributes, since Lumi processes some event types using predefined pipelines. For any predefined pipeline, you can view its definition or disable it.

Use a pipeline if you want to ensure specific values for the user attributes. With a pipeline, you can also transform your data, filter a subset of events to process, or enrich events from an integration that doesn't have IAM key attributes. You might not need a pipeline if you can set the desired user attributes using an IAM key and don't need other pipeline operations.

For more guidance on when to use IAM key attributes or pipelines, see Selection criteria.

Reusing an IAM key

You can reuse an IAM key with multiple integrations. For example, you can use the same IAM key to send data using Splunk HEC as well as authenticate Splunk federated search.

Take note of the following details when reusing an IAM key:

• You can only set up one federated provider per IAM key for Splunk federated search.
• When you use an IAM key for multiple ingestion integrations, they all apply the same global attributes, which enrich events with the system attributes env and team.
• HEC attributes and S3 pull attributes both have default options for index, source, and source type. However, these two sets of attributes are independent and can have different sets of values on the same key.

Learn more

For more information, see the following topics:

• Manage IAM keys to learn how to create and manage an IAM key.
• IAM key attribute reference for a list of integration attributes.
• Event model to learn about user attributes.
• Send events to Lumi for integrations to send events.
• Search Lumi events for integrations to search events.