Permissions for aws IAM role for cloudwatch input plugin for telegraf?

1

hi,

I’m trying to make use an AWS IAM role on my telegraf server to access Cloudwatch input metrics.
Using AWS Linux 2016-09, installed via yum.

If I create a role with minimal permissions, like just accessing Cloudwatch, telegraf fails:

iam role permissions:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“cloudwatch:Get*”,
“cloudwatch:List*”
],
“Effect”: “Allow”,
“Resource”: “*”
}
]
}

telegraf logs:
2017-04-07T21:39:37Z I! Starting Telegraf (version 1.2.1)
2017-04-07T21:39:37Z I! Loaded outputs: influxdb
2017-04-07T21:39:37Z I! Loaded inputs: inputs.processes inputs.swap inputs.system inputs.disk inputs.kernel inputs.mem inputs.cloud
watch inputs.cpu inputs.diskio
2017-04-07T21:39:37Z I! Tags enabled: host=ip-10-30-17-125
2017-04-07T21:39:37Z I! Agent Config: Interval:10s, Quiet:false, Hostname:“ip-10-30-17-125”, Flush Interval:10s
2017-04-07T21:39:40Z E! ERROR in input [inputs.cloudwatch]: AccessDenied: User: arn:aws:sts::awsaccount:assumed-role/influxdb/i-instance is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::awsaccount:role/influxdb
status code: 403, request id: b4931cdd-1bda-11e7-9dcd-c3f867c70393

if I give the IAM role full admin access, it works.
It appears I’m supposed to give the role sts:AssumeRole capabilities.
Any working example IAM roles would be appreciated.

Thanks!

2

Hi, did you manage to get this working? I also get an error message, but sadly it’s not as descriptive as yours, I just get “E! Error in plugin [inputs.cloudwatch]: AccessDenied: Access denied” and I have “cloudwatch:*” already.

3

Any solution for this? Not working for me as well. Telegraf is failing to assume a role if it does not have Admin privilege. Why it needs Admin privilege to access cloudwatch metrics?

4

Hello @Miroslav_Todorovic,
I’m not sure, I’m asking around and I’ll get back to you. Thank you.

5

To use Cloudwatch, an IAM user needs permissions to Cloudwatch itself but also to the other AWS services Cloudwatch collects data from.

This AWS page lists the permissions needed by service. It also has examples of permissions needed. If you are trying to monitor many services, you might want to consider using one of the AWS managed policies such as CloudWatchReadOnlyAccess.