Add credential_process support for AWS credentials on Windows #11399
Description
Currently, Fluent Bit's AWS credential provider chain on Windows only supports:
Environment variables
Static credentials in shared credentials file (aws_access_key_id, aws_secret_access_key, aws_session_token)
The credential_process setting in the AWS config file is documented as "Linux only."
Use case:
AWS AppStream 2.0 / WorkSpaces Applications streaming instances expose IAM role credentials via a profile (appstream_machine_role) that uses credential_process to fetch rotating temporary credentials. These credentials rotate hourly.
Without credential_process support on Windows, Fluent Bit cannot consume these credentials, making it impractical to use Fluent Bit for direct-to-Firehose or direct-to-S3 log shipping from AppStream/WorkSpaces Applications environments. The only workaround is to use CloudWatch Agent (which supports this) and route through CloudWatch Logs, adding significant cost ($0.50/GB ingestion).
Requested behavior:
Support credential_process in the shared config file on Windows, equivalent to the existing Linux implementation. This would allow Fluent Bit to invoke an external process to retrieve credentials, enabling compatibility with AWS services that use this pattern.
Environment:
Windows Server 2019/2022/2025
AWS WorkSpaces Applications/AppStream 2.0