10

I'm trying to add aws cloudwatch agent to see additional metrics using tutorial

A brief review of what I did:

  1. Create IAM role and attach to EC2 instance doc (NOTE: I do not use Parameter Store just for communication between EC2 and cloudwatch)
  2. Install Agent using s3 link
  3. Create agent configuration file docs
  4. Run agent using CLI docs

But it still not working and in agent log, I see errors like

ec2tagger: Unable to initialize EC2 Instance Tags : +NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

While googling I found not much related to cloudwath just only that in AIM role in 'Trust Relationship' config ec2 should be mentioned in service section and it is:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Any ideas, thanks!?

jtlz2
  • 7,700
  • 9
  • 64
  • 114
Bogdan Dubyk
  • 4,756
  • 7
  • 30
  • 67

6 Answers6

12

In my case the instance had an IAM role attached, but the role was missing the ec2:DescribeTags permission. Adding that fixed the problem.

dskrvk
  • 1,318
  • 15
  • 24
  • can anyone link documentation from aws that says this is required? Also, how would one even go about adding this? I don't see this as a policy option under the role or even as a permission boundary :( – Nick Brady Oct 28 '19 at 23:49
  • 1
    @NickBrady it's a permission that can be added either to one of the policies already attached to the role or to a new policy that you can create. – dskrvk Oct 30 '19 at 00:38
  • Go to IAM > your role > under permissions tab > Add inline policy > Choose EC2 as service > Actions - type `DescribeTags` and select that. Review and save policy with a name. That's it. – ChamodyaDias Jun 10 '20 at 08:14
9

"The first procedure creates the IAM role that you must attach to each Amazon EC2 instance that runs the CloudWatch agent. This role provides permissions for reading information from the instance and writing it to CloudWatch." in docs

please attach IAM role that you created to your ec2 instance first,it works for me

yue gong
  • 93
  • 1
  • 3
  • 4
    Here's how: EC2 -> Instances -> Actions -> Instance Settings -> Attach/Replace IAM Role – Milanka Feb 05 '19 at 06:39
  • Yes creating the IAM Role and attaching it to the EC2 instance should work. Adding IAM user credentials in ~/.aws/credentials file would not be the best practice. But the IAM role should have policy "CloudWatchAgentServerPolicy". – Yeamin Rajeev Mar 17 '21 at 01:18
3

The cloudwatch agent process that runs in the ec2 should be able to describe the tags of ec2. The permission required for that is ec2:DescribeTags.

Attaching instance role with the managed policy arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy will resolve the problem.

videv
  • 31
  • 1
0

Check to see if the CloudWatch Agent service is running (started)

Jamie
  • 437
  • 4
  • 15
0

I got the same issue, resolve by using below command, refresh routes

Import-Module C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psm1; Add-Routes
Guardian
  • 383
  • 4
  • 17
-3

Solved by running aws configure from inside the instance

Bogdan Dubyk
  • 4,756
  • 7
  • 30
  • 67
  • While this has been downvoted a lot, it is actually very important. If you try using Cloudwatch on the server this hasn't been done on it will fail with this error because the AWS config files are missing – Nick Lothian Jan 11 '22 at 03:13
  • You'll also need to do this: https://stackoverflow.com/a/60896030/280795 – Nick Lothian Jan 11 '22 at 03:15