Permissions for aws IAM role for cloudwatch input plugin for telegraf?

#1

hi,

I’m trying to make use an AWS IAM role on my telegraf server to access Cloudwatch input metrics.
Using AWS Linux 2016-09, installed via yum.

If I create a role with minimal permissions, like just accessing Cloudwatch, telegraf fails:

iam role permissions:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“cloudwatch:Get*”,
“cloudwatch:List*”
],
“Effect”: “Allow”,
“Resource”: “*”
}
]
}

telegraf logs:
2017-04-07T21:39:37Z I! Starting Telegraf (version 1.2.1)
2017-04-07T21:39:37Z I! Loaded outputs: influxdb
2017-04-07T21:39:37Z I! Loaded inputs: inputs.processes inputs.swap inputs.system inputs.disk inputs.kernel inputs.mem inputs.cloud
watch inputs.cpu inputs.diskio
2017-04-07T21:39:37Z I! Tags enabled: host=ip-10-30-17-125
2017-04-07T21:39:37Z I! Agent Config: Interval:10s, Quiet:false, Hostname:“ip-10-30-17-125”, Flush Interval:10s
2017-04-07T21:39:40Z E! ERROR in input [inputs.cloudwatch]: AccessDenied: User: arn:aws:sts::awsaccount:assumed-role/influxdb/i-instance is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::awsaccount:role/influxdb
status code: 403, request id: b4931cdd-1bda-11e7-9dcd-c3f867c70393

if I give the IAM role full admin access, it works.
It appears I’m supposed to give the role sts:AssumeRole capabilities.
Any working example IAM roles would be appreciated.

Thanks!

#2

Hi, did you manage to get this working? I also get an error message, but sadly it’s not as descriptive as yours, I just get “E! Error in plugin [inputs.cloudwatch]: AccessDenied: Access denied” and I have “cloudwatch:*” already.