Role_arn assumerole fails when endpoint_url is set in cloudwatch OP plugin

kpv · February 17, 2021, 2:08pm

Hi
I have following in the cloudWatch section under Output plugin of Telegraf_api.conf

region = “us-east-1”
access_key = “XXXXXXXXX”
secret_key = “XXXXXXXXXXXXXXXXX”
role_arn = “arn:aws:iam::XXXXXX:role/kriv-test-role”
endpoint_url = "https://monitoring.us-east-1.amazonaws.com "

But this cause following error : 2021-02-17T12:04:00Z E! CloudWatch: Unable to write to CloudWatch : InvalidAction: Could not find operation AssumeRole for version 2011-06-15 status code: 400, request id: 9512aa95-6069-4387-8d74-2ede8db8cfaf

If I don’t set the endpoint_url this error doesn’t occur and write to CloudWatch is success. Looks like the telegraf conf accepts only one endPoint URL and use it for both monitoring and STS(assumeRole). Let me know if some workaround couldd be done her to support both of these.

Let me know if any more data is required.

helenosheaa · February 19, 2021, 11:09pm

Hi,

In the plugin regarding the endpoint url it says:

Endpoint to make request against, the correct endpoint is automatically
determined and this option should only be set if you wish to override the
default.

So I don’t think you need to set the endpoint url if its writing out successfully. Or are you trying to achieve something else using the endpoint_url?

kpv · February 20, 2021, 12:56am

Thanks for the reply.

Yes, What if I need to use a fips endpoint or a custom end point only for monitoring?
endpoint_url = FIPS - Amazon Web Services (AWS)
monitoring-fips.us-east-1.amazonaws.com

or,

if end_point url is specified (telegraf intend to use it for monitoring here) why is STS endpoint(for role_arn) getting messed up here? why does it fail to use a default url(based on region-code) for STS?

evgf · September 22, 2022, 12:43pm

Thanks! Removing the custom endpoint resolved the problem for us when we tried to switch to the assumed role.