Hello Team,
I have a few questions regarding PMM 3.x and its integration with multiple AWS accounts.
Environment Details
-
I have multiple AWS accounts (A, B, C, D, etc.).
-
PMM Server is deployed using the AWS Marketplace (EC2 instance) in Account A.
-
PMM client/agent setup within Account A is working correctly.
-
I have created the necessary IAM roles, cross-account assume-role trust policies, and attached the required role to the PMM EC2 instance in Account A.
Roles and policies exist in both Account A and B. -
I validated the cross-account setup using STS (assume-role → temporary credentials).
-
What I now want to understand clearly is how PMM will discover and display all RDS instances that are located in Account B.
My Questions
1. How does PMM 3 discover RDS instances in a different AWS account (Account B)?
Since I am not using any IAM user in either Account A or B, I want to know:
-
Should RDS discovery work automatically via the cross-account role attached to the PMM EC2 instance?
-
Or do I need to configure something under PMM → PMM Inventory → Add Services → Discover AWS RDS?
The documentation seems to assume IAM user access keys, but in my scenario, I am using only cross-account IAM roles (no users).
2. If I use the PMM “Data Sources → CloudWatch” integration instead:
-
How can I view or filter RDS instances based on environment labels like QA, Prod, Dev, Stage, etc.?
-
Does PMM automatically pull tags from CloudWatch or RDS API?
-
Or do I need to configure these filters manually?
Note
In this entire setup, there are no IAM users involved.
Everything is done exclusively through IAM roles and STS AssumeRole across accounts.
Thanks,
Vasu