Credentials and permissions
Create IAM policy
Aws-agent requires permissions to describe RDS instances, read their logs and read Enhanced Monitoring data from CloudWatch.
MonitoringReadOnlyAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource",
"elasticache:DescribeCacheClusters",
"elasticache:ListTagsForResource"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
]
}
]
}
Attach IAM policy
Aws-agent uses default credential provider chain to find AWS credentials.
Here are the most popular options:
-
create an IAM user with programmatic access, attach the policy to it and use AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY environment variables
-
attach an IAM role with the policy to an EC2 instance where the agent will be run on
-
attach the policy to a Kubernetes service account and assign it to the agent
RDS for Postgresql
The agent discovers RDS instances in the specified region and gathers OS, Postgres and log metrics for each of them.
Create a database role
create role <USER> with login password '<PASSWORD>';
grant pg_monitor to <USER>;
IAM database authentication is coming soon.
Enable pg_stat_statements
create extension pg_stat_statements;
The pg_stat_statements extension should be loaded via the shared_preload_libraries server setting.
Run
Kubernetes
helm repo add coroot https://coroot.github.io/helm-charts
helm repo update
helm install --namespace coroot --create-namespace \
--set aws.region=<REGION> \
--set aws.key=<KEY> \
--set aws.secret=<SECRET> \
--set rds.user=<USER> \
--set rds.password=<PASSWORD> \
aws-agent coroot/aws-agent
If you use Prometheus Operator,
you will also need to create a PodMonitor:
helm install --set podMonitor=true ...
Make sure the PodMonitor matches podMonitorSelector defined in your Prometheus:
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
...
spec:
...
podMonitorNamespaceSelector: {}
podMonitorSelector: {}
...
The special value {} allows Prometheus to watch all the PodMonitors from all namespaces.
Docker
docker run --detach --name coroot-aws-agent \
-e AWS_REGION=<REGION> \
-e AWS_ACCESS_KEY_ID=<KEY> \
-e AWS_SECRET_ACCESS_KEY=<SECRET> \
-e RDS_DB_USER=<USER> \
-e RDS_DB_PASSWORD=<PASSWORD> \
ghcr.io/coroot/coroot-aws-agent