Metricbeat getResources failed AccessDeniedException

atharvak · February 17, 2021, 11:10am

Hello guys,
I am trying to setup Metricbeat for my AWS account. I have already created an IAM user with full access to EC2, S3, Cloudwatch, etc. Following is my configuration

#- module: aws
#  period: 1m
#  metricsets:
#    - elb
#    - usage
- module: aws
  period: 5m
  access_key_id: '<ACCESS_KEY_ID>'
  secret_access_key: '<AWS_SECRET_ACCESS_KEY>'
  metricsets:
    - cloudwatch
  metrics:
    - namespace: AWS/EC2
      #name: ["CPUUtilization", "DiskWriteOps"]
      #tags.resource_type_filter: ec2:instance
      #dimensions:
      #  - name: InstanceId
      #    value: i-0686946e22cf9494a
      #statistic: ["Average", "Maximum"]
- module: aws
  period: 5m
  access_key_id: '----'
  secret_access_key: '---'
  metricsets:
    - ebs
    - ec2
#    - sns
#    - sqs
#    - rds
- module: aws
  period: 12h
  access_key_id: '<<ACCESS_KEY_ID>'
  secret_access_key: '<SECRET_ACCESS_KEY>'
  metricsets:
    - billing
  regions:
    - us-east-1
- module: aws
  period: 24h
  access_key_id: '<awsaccesskeyid>'
  secret_access_key: '<secretaccesskey>'
  metricsets:
    - s3_daily_storage
    - s3_request

Despite this configuration, I am getting following errors in the logs.

Feb 17 16:36:01 logviu metricbeat: 2021-02-17T16:36:01.807+0530#011INFO#011[aws.ebs]#011cloudwatch/cloudwatch.go:475#011getResourcesTags failed, skipping region ap-south-1: error GetResources: AccessDeniedException: User: arn:aws:iam::0000000:user/Test_user is not authorized to perform: tag:GetResources
Feb 17 16:36:01 logviu metricbeat: status code: 400, request id: 1f60b771-0e3b-454e-87b6-7078f4fe55ce
Feb 17 16:36:03 logviu metricbeat: 2021-02-17T16:36:03.480+0530#011INFO#011[aws.cloudwatch]#011cloudwatch/cloudwatch.go:475#011getResourcesTags failed, skipping region ap-south-1: error GetResources: AccessDeniedException: User: arn:aws:iam::0000000:user/Test_user is not authorized to perform: tag:GetResources
Feb 17 16:36:03 logviu metricbeat: status code: 400, request id: 1d305e8d-8b5d-419e-83fd-b21189e402e7
Feb 17 16:36:11 logviu metricbeat: 2021-02-17T16:36:11.763+0530#011INFO#011[aws.ebs]#011cloudwatch/cloudwatch.go:475#011getResourcesTags failed, skipping region us-east-2: error GetResources: AccessDeniedException: User: arn:aws:iam::0000000:user/Test_user is not authorized to perform: tag:GetResources
Feb 17 16:36:11 logviu metricbeat: status code: 400, request id: 0447b4d8-6b45-4c85-93c2-094ff301d18b

Thank you in advance.

jsoriano · February 17, 2021, 7:21pm

Hi @atharvak,

Could you check if yout IAM user has permissions for tag:GetResources?

This is needed for ebs and other metricsets.

system · March 17, 2021, 9:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.