AWS Integration cannot have non-default services added to the monitoring configuration

bsnurka — Wed, 25 Jun 2025 16:26:40 GMT

Summary

As part of the AWS Integration docs, especially for non-default AWS Services Monitoring, an EC2-based Environment ActiveGate capable of performing the sts:AssumeRole Task over the AWS IAM Role in the AWS Account wishing to be monitored is required.

Problem

The IAM Role associated with the ActiveGate is unable to perform the sts:AssumeRole Task, leading to a lack of Metrics/Logs ingest for AWS Resources within the AWS Account.

Troubleshooting steps

With an incorrect configuration applied, there will be logs similar to the following found within the ActiveGate's SupportArchive.

\log\dynatracegateway.0.0.log

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn‌‌sts::{AG-AWS-Account-Number}:assumed-role/{AG-Role-Name}/{AG-Instance-ID} is not authorized to perform: sts:AssumeRole on resource: arn‌‌iam::{Target-AWS-Account-Number}:role/{Target-Role-Name}(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: XXXX; Proxy: null) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)

Within the Dynatrace UI > Settings Classic > Cloud > AWS, there will be a warning stating that the given integration is "Running on Dynatrace provided infrastructure".

The AWS Integration cannot have non-default AWS Services added to the integration for monitoring.

Resolution

Ensure the ActiveGate being used for the integration is deployed as an EC2 instance, and has the aws_monitoring_enabled set to true within the custom.properties file: https://docs.dynatrace.com/docs/shortlink/sgw-configure#aws-monitoring
Confirm the Target AWS Account has the proper IAM Role deployed - dynatrace-monitoring-role
1. Redeploy the linked CloudFormation Template as-needed.
Confirm the IAM Policy attached to the ActiveGate matches the dynatrace-activegate-role
1. From the ActiveGate's CLI
```
curl http://169.254.169.254/latest/meta-data/iam/info
```
2. Redeploy the linked CloudFormation Template as-needed.
Test the sts:AssumeRole task from the ActiveGate's CLI
1. ```
aws sts assume-role --role-arn <ARN_of_monitoring_role> --role-session-name TestSession --external-id <external_id>
```
2. The external_id can be found within the AWS Integration's config within the Dynatrace Settings.
Confirm there is no AWS Service Control Policy configured which could be blocking the sts:AssumeRole task, especially if the ActiveGate is deployed in a different AWS Account + ORG than the Target AWS Account.

What's next