Cloudwatch plugin telegraf wont assume role


I am facing problem with cloudwatch telegraf plugin when ec2 where telegraf runs fail to assume role. This is my setup for telegraf plugin:

region = "us-east-1"
role_arn = "arn:aws:iam::275695177179:role/FrameTick"
period = '1m'
delay = '5m'
interval = '5m'
namespace = 'AWS/RDS'

This is the error I have:

E! [ **inputs.cloudwatch** ] Error in plugin: AccessDenied: User: arn:aws:sts:xxxxxx:assumed-role/FrameTick/i-02fd2e762c0f08da7 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxx:role/FrameTick

I realized that issue is in permissions in IAM policy attached to telegraf ec2 role, because when I attach Admin policy to the role, everything works fine. I expect policy like


should be enough, but it is not.

What is diff Admin policy in AWS IAM has, and cloudwatch:* IAM does not have, that allows telegraf ec2 to assume role properly and fetch metrics from cloudwatch.

Thank you!