Permissions for aws IAM role for cloudwatch input plugin for telegraf?



I’m trying to make use an AWS IAM role on my telegraf server to access Cloudwatch input metrics.
Using AWS Linux 2016-09, installed via yum.

If I create a role with minimal permissions, like just accessing Cloudwatch, telegraf fails:

iam role permissions:
“Version”: “2012-10-17”,
“Statement”: [
“Action”: [
“Effect”: “Allow”,
“Resource”: “*”

telegraf logs:
2017-04-07T21:39:37Z I! Starting Telegraf (version 1.2.1)
2017-04-07T21:39:37Z I! Loaded outputs: influxdb
2017-04-07T21:39:37Z I! Loaded inputs: inputs.processes inputs.swap inputs.system inputs.disk inputs.kernel inputs.mem
watch inputs.cpu inputs.diskio
2017-04-07T21:39:37Z I! Tags enabled: host=ip-10-30-17-125
2017-04-07T21:39:37Z I! Agent Config: Interval:10s, Quiet:false, Hostname:“ip-10-30-17-125”, Flush Interval:10s
2017-04-07T21:39:40Z E! ERROR in input [inputs.cloudwatch]: AccessDenied: User: arn:aws:sts::awsaccount:assumed-role/influxdb/i-instance is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::awsaccount:role/influxdb
status code: 403, request id: b4931cdd-1bda-11e7-9dcd-c3f867c70393

if I give the IAM role full admin access, it works.
It appears I’m supposed to give the role sts:AssumeRole capabilities.
Any working example IAM roles would be appreciated.



Hi, did you manage to get this working? I also get an error message, but sadly it’s not as descriptive as yours, I just get “E! Error in plugin [inputs.cloudwatch]: AccessDenied: Access denied” and I have “cloudwatch:*” already.