26 Jul 2023 08:28 AM - last edited on 08 Aug 2024 12:13 PM by Michal_Gebacki
Hi, I'm looking into How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.
Reading at the documentation, it seemed like it could be done.
https://www.dynatrace.com/support/help/shortlink/aws-monitoring-guide#monitoring-prerequisites
The AWS Security Token Service is a global endpoint by default. In case of using a regional endpoint, sts.<REGION>.amazonaws.com needs to be accessible.
Therefore, we built a Region STS Endpoint in the same Private subnet as EC2 where ActiveGate was set up. However, the connection is made to the default STS global endpoint, resulting in an error.
2023-07-26 06:48:04 UTC INFO [<xxx00000>] [<vtopology.provider>, PartitionAutoDetection] Updating partition: aws-cn -> aws, for credentials: AWS-monitoring [-xxxxxxxxxxxx]
2023-07-26 06:48:45 UTC WARNING [<xxx00000>] [<vtopology.provider>, AWSFastCheckCallable] Credentials refresh failed: {status: ERROR_BAD_CREDENTIALS, statusInfo: Service failed to assume role provided in credentials, credentials: AWSCredentialsImpl {identifier: ***********, accessKey: null, tenantUUID: xxx00000, iamRole: Dynatrace_monitoring_role, accountId: xxxxxxxxxxx, externalId: *****, label: AWS-monitoring, version: 2.0}, exception: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/209.54.177.164] failed: connect timed out}
We have confirmed that the communication between EC2 with ActiveGate and the Region STS endpoint is no problem.
I think I need to add or change some settings, but if anyone knows, please let me know.
Best regards,
Yuki Ito
Solved! Go to Solution.
12 Feb 2024 07:13 PM
@yito were you able to get this resolved?
22 Mar 2024 08:09 AM
I'm sorry I had missed your message.
Actually, I haven't be able to resolved this yet. I would like to know how to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.
25 Jul 2024 03:02 PM - edited 25 Jul 2024 03:03 PM
I think I am also facing the same issue which leads in the GUI to an "IAM Role does not exist or is misconfigured" is it your use case @yito ?
From Support team we were given this error logs :
exception: com.amazonaws.services.securitytoken.model.RegionDisabledException: STS is not activated in this region for account:xxxxxx. Your account administrator can activate STS in this region using the IAM Console.
07 Aug 2024 04:28 PM
Hi @yito,
You can set the STS endpoint type using the config file by setting these values in the file:
[default]
sts_regional_endpoints = regional
The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME\.aws\config on Windows.