Metricbeat connecting to AWS reporting Failed DescribeRegions

Hi again everyone,
I installed the aws module for metricbeat with the following configuration:
# Module: aws
# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.4/metricbeat-module-aws.html

- module: aws
period: 300s
metricsets:
    - cloudwatch
access_key_id: '${AWS_ACCESS_KEY_ID:""}'
secret_access_key: '${AWS_SECRET_ACCESS_KEY:""}'
metrics:
    - namespace: AWS/EC2
    name: ["CPUUtilization", "DiskWriteOps"]
    tags.resource_type_filter: ec2:instance
    dimensions:
        - name: InstanceId
        value: i-091a26785c02342bc
    statistic: ["Average", "Maximum"]

The key id and the secret key env vars are in the .bashrc file and are correctly set. Those keys are for a user created in IAM with a policy with the following permissions:
permissions

I followed the tutorial in:
https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-module-aws.html

But when I do:
metricbeat setup
metricbeat -e

I get the following error:

Exiting: 1 error: error creating aws metricset: Failed DescribeRegions: EC2RoleRequestError: no EC2 instance role found

caused by: EC2MetadataError: failed to make Client request
caused by:

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <title>404 - Not Found</title>
</head>

<body>
    <h1>404 - Not Found</h1>
</body>

</html>

Am I doing something wrong?

Thank you very much.

Hello! Thanks for posting here. Failed DescribeRegions usually means something wrong with the credentials (probably I need to fix this with better error messages).

First question I have is, do you need a session_token for your aws credential? For example if you have MFA setup, then you need to use the temporary token to generate a new set of access key, secret access key and session token.

If you have aws-cli setup locally, you can try to make some basic aws api calls with the credential you have to see if the credentials are valid.

Hmmm, good question. I'm reviewing the user. I created a new one just for metricbeat. With the roles I mentioned above. Also, the user has no password nor MFA. Only the access keys. This is the user configuration:

I made a policy simulation in IAM and the DescribeRegions worked fine. You mean that maybe I need to configure in the aws.yaml file both the access_key and the session_token vars?

I'll try to sep up aws-cli to use those credentials and see if it works. Thanks you!

Quick update. I configured the AWS cli with the same keys as in metricbeat, run the command aws ec2 describe-regions and got the following output:

{
    "Regions": [
        {
            "OptInStatus": "opt-in-not-required",
            "Endpoint": "ec2.eu-north-1.amazonaws.com",
            "RegionName": "eu-north-1"
        },
        ...
    ]
}

With the same OptInStatus in every region.

Don't know if I'm doing anything wrong or if I can get more info about what is happening with metricbeat.

Sorry for the late response. Thanks for giving the CLI a try, since that works, the credentials should work for aws module hmmm. Do you use ~/.aws/credentials to store aws credentials under different profile names? If so, could you give this config a try?

- module: aws
  period: 300s
  credential_profile_name: test-mb
  metricsets:
    - cloudwatch
  metrics:
    - namespace: AWS/EC2
      name: ["CPUUtilization", "DiskWriteOps"]
      tags.resource_type_filter: ec2:instance
      statistic: ["Average"]

If you don't use ~/.aws/credentials file, then could you plugin the AWS credentials directly into the config to see if that will work? I'm just trying to make sure the credentials get passed into the config correctly:

- module: aws
  period: 300s
  access_key_id: "please copy paste your access key id in here"
  secret_access_key: "please copy paste your secret access key in here"
  metricsets:
    - cloudwatch
  metrics:
    - namespace: AWS/EC2
      name: ["CPUUtilization", "DiskWriteOps"]
      tags.resource_type_filter: ec2:instance
      statistic: ["Average"]

Hi again Kaiyan!

It looks like, as you said, the credentials were not passed correctly to the config file. I had an .aws/credentials file, with just a default profile. I used it in the config file and it seems that it's working fine.

Probably I did something wrong with the ENV variables in the yaml file.

Thank you very much for your help!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.