PMM 2.30 not able to discover RDS Instances using IAM role

alinaveed · October 18, 2022, 12:06pm

Hi,

I installed PMM 2.30.0 from AWS AMI and configured IAM policy and IAM role. Also attached IAM role to the PMM EC2 instance but still unable to discover the RDS instances within the same region.

The PMM EC2 is having SG group with ports 80, 443 and 22 from 0.0.0.0/0. Moreover, performace_schema=1 and Enhanced Monitoring too is enabled for all RDS

Please support.

Thanks
Naveed

Michael_Coburn · October 24, 2022, 2:39pm

Hi @alinaveed welcome to the Percona forums!
Can you share your Policy for IAM? It should look like:

  "Statement": [{ "Sid": "Stmt1508404837000",
              "Effect": "Allow",
              "Action": [ "rds:DescribeDBInstances",
                          "cloudwatch:GetMetricStatistics",
                          "cloudwatch:ListMetrics"],
                          "Resource": ["*"] },
             { "Sid": "Stmt1508410723001",
               "Effect": "Allow",
               "Action": [ "logs:DescribeLogStreams",
                           "logs:GetLogEvents",
                           "logs:FilterLogEvents" ],
                           "Resource": [ "arn:aws:logs:*:*:log-group:RDSOSMetrics:*" ]}
           ]
}

alinaveed · October 25, 2022, 3:29am

Thanks a lot for the response Micheal. Yes i have used the same IAM policy. Moreover i had multiple times repeated the steps as described in below link but same issue.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1508404837000",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1508410723001",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:RDSOSMetrics:*"
            ]
        }
    ]
}

However, one strange thing i m noticing it is able to discover 2 RDS instance from another region(us-east-1) but PMM EC2 is running on sa-east-1. I have even tried different versions of PMM from 2.29,2.30 and 2.31 and used different instance type as well. Also, tried using IAM user and attaching it to the above IAM policy, still no luck and unable to discover the RDS in sa-east-1 region.

standon22 · December 7, 2022, 11:32am

@Michael_Coburn @Aleksandar_Kostovski , The problem is timeout we have in the code which is set for 7 Seconds.

Whichever region has less instances it’s easy to fetch but when there are more instances it’e being timed out.

github.com

percona/pmm/blob/d1a13c9f4aecc77d1fb908dc06e8540071c4a232/managed/services/management/rds.go

// Copyright (C) 2017 Percona LLC
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.

package management

import (
	"context"
	"net/http"

This file has been truncated. show original

We can increase the timeout for discover function to make sure it waits before ending up with error.