topic How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics? in Cloud platforms

How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics?

yito — Thu, 08 Aug 2024 11:13:59 GMT

Hi, I'm looking into How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.

Reading at the documentation, it seemed like it could be done.

https://www.dynatrace.com/support/help/shortlink/aws-monitoring-guide#monitoring-prerequisites

The AWS Security Token Service is a global endpoint by default. In case of using a regional endpoint, sts.<REGION>.amazonaws.com needs to be accessible.

Therefore, we built a Region STS Endpoint in the same Private subnet as EC2 where ActiveGate was set up. However, the connection is made to the default STS global endpoint, resulting in an error.

2023-07-26 06:48:04 UTC INFO [<xxx00000>] [<vtopology.provider>, PartitionAutoDetection] Updating partition: aws-cn -> aws, for credentials: AWS-monitoring [-xxxxxxxxxxxx]
2023-07-26 06:48:45 UTC WARNING [<xxx00000>] [<vtopology.provider>, AWSFastCheckCallable] Credentials refresh failed: {status: ERROR_BAD_CREDENTIALS, statusInfo: Service failed to assume role provided in credentials, credentials: AWSCredentialsImpl {identifier: ***********, accessKey: null, tenantUUID: xxx00000, iamRole: Dynatrace_monitoring_role, accountId: xxxxxxxxxxx, externalId: *****, label: AWS-monitoring, version: 2.0}, exception: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/209.54.177.164] failed: connect timed out}

We have confirmed that the communication between EC2 with ActiveGate and the Region STS endpoint is no problem.

I think I need to add or change some settings, but if anyone knows, please let me know.

Best regards,

Yuki Ito

Re: How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics

ChadTurner — Mon, 12 Feb 2024 19:13:01 GMT

@yito were you able to get this resolved?

Re: How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics

yito — Fri, 22 Mar 2024 08:09:17 GMT

@ChadTurner

I'm sorry I had missed your message.

Actually, I haven't be able to resolved this yet. I would like to know how to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.

Re: How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics

NicolasTr — Thu, 25 Jul 2024 14:03:31 GMT

I think I am also facing the same issue which leads in the GUI to an "IAM Role does not exist or is misconfigured" is it your use case @yito ?

From Support team we were given this error logs :

exception: com.amazonaws.services.securitytoken.model.RegionDisabledException: STS is not activated in this region for account:xxxxxx. Your account administrator can activate STS in this region using the IAM Console.

Re: How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics

dawid_kaszubski — Wed, 07 Aug 2024 15:28:22 GMT

Hi @yito,
You can set the STS endpoint type using the config file by setting these values in the file:

[default] 
sts_regional_endpoints = regional

The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME\.aws\config on Windows.