cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics?

yito
Participant

Hi, I'm looking into How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.


Reading at the documentation, it seemed like it could be done.

https://www.dynatrace.com/support/help/shortlink/aws-monitoring-guide#monitoring-prerequisites

The AWS Security Token Service is a global endpoint by default. In case of using a regional endpoint, sts.<REGION>.amazonaws.com needs to be accessible.

Therefore, we built a Region STS Endpoint in the same Private subnet as EC2 where ActiveGate was set up. However, the connection is made to the default STS global endpoint, resulting in an error.

2023-07-26 06:48:04 UTC INFO [<xxx00000>] [<vtopology.provider>, PartitionAutoDetection] Updating partition: aws-cn -> aws, for credentials: AWS-monitoring [-xxxxxxxxxxxx]
2023-07-26 06:48:45 UTC WARNING [<xxx00000>] [<vtopology.provider>, AWSFastCheckCallable] Credentials refresh failed: {status: ERROR_BAD_CREDENTIALS, statusInfo: Service failed to assume role provided in credentials, credentials: AWSCredentialsImpl {identifier: ***********, accessKey: null, tenantUUID: xxx00000, iamRole: Dynatrace_monitoring_role, accountId: xxxxxxxxxxx, externalId: *****, label: AWS-monitoring, version: 2.0}, exception: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/209.54.177.164] failed: connect timed out}

We have confirmed that the communication between EC2 with ActiveGate and the Region STS endpoint is no problem.

I think I need to add or change some settings, but if anyone knows, please let me know.

 

Best regards,

Yuki Ito

4 REPLIES 4

ChadTurner
DynaMight Legend
DynaMight Legend

@yito were you able to get this resolved?

-Chad

yito
Participant

@ChadTurner 

I'm sorry I had missed your message.

Actually, I haven't be able to resolved this yet. I would like to know how to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.

NicolasTr
Participant

I think I am also facing the same issue which leads in the GUI to an "IAM Role does not exist or is misconfigured" is it your use case @yito  ? 

 

From Support team we were given this error logs : 

exception: com.amazonaws.services.securitytoken.model.RegionDisabledException: STS is not activated in this region for account:xxxxxx. Your account administrator can activate STS in this region using the IAM Console.

dawid_kaszubski
Dynatrace Participant
Dynatrace Participant

Hi @yito,
You can set the STS endpoint type using the config file by setting these values in the file:

[default] 
sts_regional_endpoints = regional

The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME\.aws\config on Windows. 

Product Owner of Cloud Monitoring

Featured Posts