Metricbeat getResources failed AccessDeniedException

atharvak · February 17, 2021, 11:10am

Hello guys,
I am trying to setup Metricbeat for my AWS account. I have already created an IAM user with full access to EC2, S3, Cloudwatch, etc. Following is my configuration

#- module: aws
#  period: 1m
#  metricsets:
#    - elb
#    - usage
- module: aws
  period: 5m
  access_key_id: '<ACCESS_KEY_ID>'
  secret_access_key: '<AWS_SECRET_ACCESS_KEY>'
  metricsets:
    - cloudwatch
  metrics:
    - namespace: AWS/EC2
      #name: ["CPUUtilization", "DiskWriteOps"]
      #tags.resource_type_filter: ec2:instance
      #dimensions:
      #  - name: InstanceId
      #    value: i-0686946e22cf9494a
      #statistic: ["Average", "Maximum"]
- module: aws
  period: 5m
  access_key_id: '----'
  secret_access_key: '---'
  metricsets:
    - ebs
    - ec2
#    - sns
#    - sqs
#    - rds
- module: aws
  period: 12h
  access_key_id: '<<ACCESS_KEY_ID>'
  secret_access_key: '<SECRET_ACCESS_KEY>'
  metricsets:
    - billing
  regions:
    - us-east-1
- module: aws
  period: 24h
  access_key_id: '<awsaccesskeyid>'
  secret_access_key: '<secretaccesskey>'
  metricsets:
    - s3_daily_storage
    - s3_request

Despite this configuration, I am getting following errors in the logs.

Feb 17 16:36:01 logviu metricbeat: 2021-02-17T16:36:01.807+0530#011INFO#011[aws.ebs]#011cloudwatch/cloudwatch.go:475#011getResourcesTags failed, skipping region ap-south-1: error GetResources: AccessDeniedException: User: arn:aws:iam::0000000:user/Test_user is not authorized to perform: tag:GetResources
Feb 17 16:36:01 logviu metricbeat: status code: 400, request id: 1f60b771-0e3b-454e-87b6-7078f4fe55ce
Feb 17 16:36:03 logviu metricbeat: 2021-02-17T16:36:03.480+0530#011INFO#011[aws.cloudwatch]#011cloudwatch/cloudwatch.go:475#011getResourcesTags failed, skipping region ap-south-1: error GetResources: AccessDeniedException: User: arn:aws:iam::0000000:user/Test_user is not authorized to perform: tag:GetResources
Feb 17 16:36:03 logviu metricbeat: status code: 400, request id: 1d305e8d-8b5d-419e-83fd-b21189e402e7
Feb 17 16:36:11 logviu metricbeat: 2021-02-17T16:36:11.763+0530#011INFO#011[aws.ebs]#011cloudwatch/cloudwatch.go:475#011getResourcesTags failed, skipping region us-east-2: error GetResources: AccessDeniedException: User: arn:aws:iam::0000000:user/Test_user is not authorized to perform: tag:GetResources
Feb 17 16:36:11 logviu metricbeat: status code: 400, request id: 0447b4d8-6b45-4c85-93c2-094ff301d18b

Thank you in advance.

jsoriano · February 17, 2021, 7:21pm

Hi @atharvak,

Could you check if yout IAM user has permissions for tag:GetResources?

This is needed for ebs and other metricsets.

system · March 17, 2021, 9:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AWS metricbeat config, Access Denied Beats metricbeat	16	1185	May 19, 2020
Metricbeat connecting to AWS reporting Failed DescribeRegions Beats metricbeat	6	2947	November 19, 2019
Metricbeat AWS Module Beats metricbeat	12	867	June 1, 2020
getResourcesTags failed, skipping region us-east-1 Elastic Observability	0	221	August 28, 2023
Metricbeat not able to recognise AWS modules Beats metricbeat	5	327	November 2, 2022

Metricbeat getResources failed AccessDeniedException

Related topics