I am facing problem with cloudwatch telegraf plugin when ec2 where telegraf runs fail to assume role. This is my setup for telegraf plugin:
region = "us-east-1" role_arn = "arn:aws:iam::275695177179:role/FrameTick" period = '1m' delay = '5m' interval = '5m' namespace = 'AWS/RDS'
This is the error I have:
E! [ **inputs.cloudwatch** ] Error in plugin: AccessDenied: User: arn:aws:sts:xxxxxx:assumed-role/FrameTick/i-02fd2e762c0f08da7 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxx:role/FrameTick
I realized that issue is in permissions in IAM policy attached to telegraf ec2 role, because when I attach Admin policy to the role, everything works fine. I expect policy like
should be enough, but it is not.
What is diff Admin policy in AWS IAM has, and
cloudwatch:* IAM does not have, that allows telegraf ec2 to assume role properly and fetch metrics from cloudwatch.