AWS metricbeat config, Access Denied

kmroz · April 17, 2020, 4:30pm

Hello,

I am trying to configure Metricbeat to collect AWS metrics. I have tried configuring it to use credential profile and even explicity setting the access keys inside the yml. It keeps saying I dont have enough permissions to DescribeRegions. I tried giving the user higher permissions which includes that and still the same issue. Any help on this would be great. I am also using the latest version of Elastic/Beats.

- module: aws
  period: 1m
  metricsets:
    - elb
    - usage
  access_key_id: ''
  secret_access_key: ''
  credential_profile_name: default
  regions:
    - us-east-1
- module: aws
  period: 5m
  access_key_id: ''"
  secret_access_key: ''"
  credential_profile_name: default
  metricsets:
    - cloudwatch
  metrics:
    - namespace: AWS/EC2
      #name: ["CPUUtilization", "DiskWriteOps"]
      #dimensions:
      #  - name: InstanceId
      #    value: i-0686946e22cf9494a
      #statistic: ["Average", "Maximum"]
  regions:
    - us-east-1
- module: aws
  period: 5m
  access_key_id: ''
  secret_access_key: ''
  metricsets:
    - ebs
    - ec2
    - sns
    - sqs
    - rds
  regions:
    - us-east-1
- module: aws
  period: 12h
  access_key_id: ''
  secret_access_key: ''
  metricsets:
    - billing
  regions:
    - us-east-1
- module: aws
  period: 24h
  access_key_id: ''
  secret_access_key: ''
  metricsets:
    - s3_daily_storage
    - s3_request

Thanks,
Kenneth

kmroz · April 17, 2020, 9:46pm

Weird issue, I can send billing metrics no problem but all other resources that require DescribeRegion fail. Could this be a possible bug? I gave my user Ec2FullAccess and also explicitly gave that permission.

kmroz · April 20, 2020, 4:25pm

Was anyone able to take a look at this?

Kaiyan_Sheng · April 20, 2020, 6:11pm

Hi @kmroz, thanks for posting your question here! Could you by any chance to copy your policy JSON file here please?

You can find it in IAM console on AWS. Here is what mine looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "tag:GetResources",
                "ec2:DescribeInstances",
                "cloudwatch:GetMetricData",
                "ec2:DescribeRegions",
                "iam:ListAccountAliases",
                "sts:GetCallerIdentity",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
        }
    ]
}

Kaiyan_Sheng · April 20, 2020, 6:12pm

Also if you want to verify if the credentials you use in shared credential file is good, you can try some basic AWS CLIs locally like https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html

kmroz · April 20, 2020, 6:16pm

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions",
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics",
                "tag:getResources",
                "sts:GetCallerIdentity",
                "iam:ListAccountAliases",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

kmroz · April 20, 2020, 6:24pm

also I am able to confirm via the CLI i can describe regions.

Kaiyan_Sheng · April 20, 2020, 7:09pm

Thank you!!! The permission seems fine hmmm Could you try start Metricbeat with config file aws.yml only includes ec2 metricset and copy paste your whole Metricbeat log to here please?

- module: aws
  period: 5m
  credential_profile_name: <credential-profile-name>
  metricsets:
    - ec2

Thanks again!

Kaiyan

kmroz · April 20, 2020, 7:14pm

1 error: error creating aws metricset: Failed DescribeRegions: UnauthorizedOperation: You are not authorized to perform this operation.

Is the error i have recieved.

Kaiyan_Sheng · April 20, 2020, 8:21pm

I just downloaded the latest Metricbeat (version 7.6.2) and used config:

- module: aws
  period: 5m
  credential_profile_name: elastic-beats
  metricsets:
    - ec2

I was able to collect metrics from EC2 instances.

When you tested with AWS CLI, what credential did you use? If you copy these credentials directly into the aws.yml config, do you also get the same error?

- module: aws
  period: 5m
  access_key_id: <'access key id'>
  secret_access_key: <'secret access key'>
  session_token: <'if you have a session token'>
  metricsets:
    - ec2

kmroz · April 20, 2020, 8:26pm

Hey ,

Yes , i have tried both pasting in the config and using the profile_name. It gives me the same error.

kmroz · April 20, 2020, 10:02pm

so, it seems after doing a daemon-reload ec2 started to work. I am now running into the issue with S3 saying i need to DescrbeRegions

kmroz · April 20, 2020, 10:11pm

weirdly enough had to add regions sections to this to get it working. I think i am running now. Thank you

Kaiyan_Sheng · April 20, 2020, 11:05pm

oh no... I can't think of anything if the config is right though hmmm I can't reproduce it on my side

If you run ./metricbeat -e -d '*' to enable debug log, will you able to see any other information might be useful?

Kaiyan_Sheng · April 20, 2020, 11:06pm

Ahh great! I didn't see your recent comments! Thanks for letting me know!!

kmroz · April 21, 2020, 1:48pm

No problem, thanks for helping out!

system · May 19, 2020, 1:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.