Permissions for aws IAM role for cloudwatch input plugin for telegraf?

qwerty · April 10, 2017, 10:01pm

hi,

I’m trying to make use an AWS IAM role on my telegraf server to access Cloudwatch input metrics.
Using AWS Linux 2016-09, installed via yum.

If I create a role with minimal permissions, like just accessing Cloudwatch, telegraf fails:

iam role permissions:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“cloudwatch:Get*”,
“cloudwatch:List*”
],
“Effect”: “Allow”,
“Resource”: “*”
}
]
}

telegraf logs:
2017-04-07T21:39:37Z I! Starting Telegraf (version 1.2.1)
2017-04-07T21:39:37Z I! Loaded outputs: influxdb
2017-04-07T21:39:37Z I! Loaded inputs: inputs.processes inputs.swap inputs.system inputs.disk inputs.kernel inputs.mem inputs.cloud
watch inputs.cpu inputs.diskio
2017-04-07T21:39:37Z I! Tags enabled: host=ip-10-30-17-125
2017-04-07T21:39:37Z I! Agent Config: Interval:10s, Quiet:false, Hostname:“ip-10-30-17-125”, Flush Interval:10s
2017-04-07T21:39:40Z E! ERROR in input [inputs.cloudwatch]: AccessDenied: User: arn:aws:sts::awsaccount:assumed-role/influxdb/i-instance is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::awsaccount:role/influxdb
status code: 403, request id: b4931cdd-1bda-11e7-9dcd-c3f867c70393

if I give the IAM role full admin access, it works.
It appears I’m supposed to give the role sts:AssumeRole capabilities.
Any working example IAM roles would be appreciated.

Thanks!

ingoclaro · January 18, 2019, 6:45pm

Hi, did you manage to get this working? I also get an error message, but sadly it’s not as descriptive as yours, I just get “E! Error in plugin [inputs.cloudwatch]: AccessDenied: Access denied” and I have “cloudwatch:*” already.

Miroslav_Todorovic · October 1, 2020, 12:25pm

Any solution for this? Not working for me as well. Telegraf is failing to assume a role if it does not have Admin privilege. Why it needs Admin privilege to access cloudwatch metrics?

Anaisdg · October 9, 2020, 3:32pm

Hello @Miroslav_Todorovic,
I’m not sure, I’m asking around and I’ll get back to you. Thank you.

reimda · October 12, 2020, 4:34pm

To use Cloudwatch, an IAM user needs permissions to Cloudwatch itself but also to the other AWS services Cloudwatch collects data from.

This AWS page lists the permissions needed by service. It also has examples of permissions needed. If you are trying to monitor many services, you might want to consider using one of the AWS managed policies such as CloudWatchReadOnlyAccess.

Topic		Replies	Views
Cloudwatch plugin telegraf wont assume role	0	419	October 2, 2020
Telegraf inputs.cloudwatch plugin assume role issue telegraf	0	488	October 1, 2020
Telegraf running inside a docker container outputs to CloudWatch - Need Help telegraf	5	1523	April 5, 2017
AWS Cloudwatch Telegraf Telegraf telegraf	12	1726	May 3, 2019
Telegraf cloudwatch input plugin seems to be recording incorrect timestamps in influx Telegraf telegraf	3	1082	April 26, 2018

Permissions for aws IAM role for cloudwatch input plugin for telegraf?

Related topics