We setup the credentials in AWS, but when we try to connect from our Managed on prem system it says "Invalid Credentials or credentials already exist". Is there any tricks to troubleshooting this? The credentails were verified and we even tried a different role name to be safe.
Thanks.
Brian
Solved! Go to Solution.
Hi Brian,
Configuration of role- based AWS monitoring for Managed is a little bit more trickier than for SaaS. Below are instructions how to do it. Please let me know if it worked for you.
*****************************************************************************************
Short description:
To monitor target instances with role-based permissions, a Security Gateway needs to assume a role on the target account which allows it to read the monitoring data. For security reasons the Security Gateway first assumes an additional internal role (“proxy”), before it assumes the target role in a second step.
The solution therefore describes how to prepare your AWS environment:
What you need:
Detailed instructions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [ "arniam::<12 digit target account number>:role/<role name of the Dynatrace Managed PSG>" ]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arniam::<12 digit source account number>:role/roleXassume"
}
]
}
[vertical.topology]
aws_proxy_account = <12 digit source account number>
aws_proxy_role = roleXassume
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"rds:DescribeDBInstances",
"rds:List*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"lambda:ListFunctions",
"lambda:GetFunction",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEnvironmentResources",
"s3:List*",
"s3:Get*",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [ "arniam::<12 digit source account number>:role/roleXassume" ]
}
]
}
Best Regards,
Karolina
Can you clarify if these steps or for running Dynatarce Managed on-prem and trying to monitor AWS? Also can you tounch on how to apply the role to the security gateway in managed?
Hello,
if these steps are for runnning Dynatrace Managed on-prem ?
Thanks in advance for your reply.
Will these instructions also work within Managed On Prem? I'm having the same problem
Yes they should work for Managed as well. This is written in Karolina's procedure.
Will it work for Dynatrace SaaS?
It works the same way:
https://www.dynatrace.com/support/help/cloud-platforms/amazon-web-services/how-do-i-start-amazon-web-services-monitoring#enable-access-to-your-amazon-account
The link is broken (404)
Hi @ofpeleg
Here is a working one: Set up Dynatrace Managed for AWS monitoring
HTH
Yos