Hi, I’m Leo.
I’m going to do RDS discovery using IAM role. At this time, I want to add an instance of “assumeRole” in the role, but I don’t think it’s going to be able to discover the instances that “assumeRole” can import.
I want to use “aws_role_arn” on rds_exporter.
Is there a way to do it manually?
We are currently using 2.27 version based on docker.
Please help me~
----- Added April 27
Yes, I read this.
so, I got this results.
I’ll explain it in more detail.
- There are “A” account and “B” account.
- PMM was setup in “A” account’s EC2 with role attached, and “assumeRole” “B” account’s role
- I want to monitor both accounts with “A” account’s EC2 PMM.
but only “A” accounts rds instances are discovered. Can I use roles(a.k.a assumeRole) to import “B” account rds instances without using the user (access key/secret key)?
Have you read over all of our official documentation for using IAM discovery?
I revised the post contents in more detail.
The example in documentation page, does not cover your exact use case. In theory, the proposed approach it should work. If you have a valid setup on both accounts and use for PMM server the role ARN that you have from account B, it should give you access to instances that are running there.
Simple way to validate if your setup is working as expected, is to install awscli inside the EC2 instance and check if using the role from acc. “B” will allow to list the RDS instances available in “B”.
Here you can find an example from AWS documentation on how to use S3 resources from diff. account.
Please share back your results.
Set the profile “aaa” in /.aws/config with role_arn.
And… I tried the command below.
“aws rds describe-db-instances profile=aaa”
The command displays the instance information created for that account.
Now, how do I make sure that instances appear in the discovery list in the adds instance on the grafana dashboard?
You can try to associate the roles with the EC2 instance. You can achieve this through out AWS UI and/or CLI. Here is an article that can guide you.
Please keep in mind that at a given time only one IAM role can be associated with an EC2 instance, so because of this you may need to alter one of the existing IAM roles to include the two policies that are giving you access to the two accounts.