cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Any idea if there is a trick to connecting to AWS from Dyntrace Managed?

bcox2
Organizer

We setup the credentials in AWS, but when we try to connect from our Managed on prem system it says "Invalid Credentials or credentials already exist". Is there any tricks to troubleshooting this? The credentails were verified and we even tried a different role name to be safe.

Thanks.

Brian

9 REPLIES 9

Karolina_Ruszko
Inactive

Hi Brian,

Configuration of role- based AWS monitoring for Managed is a little bit more trickier than for SaaS. Below are instructions how to do it. Please let me know if it worked for you.

*****************************************************************************************

Short description:

To monitor target instances with role-based permissions, a Security Gateway needs to assume a role on the target account which allows it to read the monitoring data. For security reasons the Security Gateway first assumes an additional internal role (“proxy”), before it assumes the target role in a second step.

The solution therefore describes how to prepare your AWS environment:

  • 1.Create a proxy role in step 1,
  • 2.then adjust the role of the Security Gateway,
  • 3.change Security Gateway configuration settings to point to the right AWS account,
  • 4.and create a role and its permissions on the target account.
  • 5.Last step are the standard configuration settings in the Dynatrace product.

What you need:

  • Your Amazon Web Services source account ID in which your Dynatrace Managed servers are running.
  • The name of the role with which your Dynatrace Managed Server (or Public Security Gateway) was started.
  • Your Amazon Web Services target account ID of the account you want to monitor.

Detailed instructions:

  • 1.Create a cross-account access role in the source account
  • a.Login to the source AWS account
  • b.Go to IAM in your AWS Console
  • c.Go to Roles and create a new role, name it “roleXassume”, you’ll need it later
  • d.Select the Role for Cross-Account Access, then Provide access between AWS accounts you own
  • e.Enter the source AWS account ID (yes, this means cross-account access on the same account)
  • f.Skip attaching existing policy by going to next step
  • g.In the Review page click Create Role
  • h.Select the just created role and go to the Permissions tab
  • i.In Permissions expand Inline Policies, and create a new inline policy there (follow the click here link)
  • j.In Set Permissions select Custom Policy
  • k.Create the policy with the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Resource": "*"

}

]

}

  • l.After the roleXassume role is created, please select the role in the IAM roles section and go to the “Trust Relationships” tab
  • m.Click “Edit Trust Relationships” and change the permissions (for security reasons, the default policy permissions need to be restricted to the calling PSG role):

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Resource": [ "arn:aws:iam::<12 digit target account number>:role/<role name of the Dynatrace Managed PSG>" ]

}

]

}

  • Note: if you do not know upfront the role (or roles) on target accounts being monitored, you may need to alter the resource filter (e.g. include multiple roles). You may use also wildcard (“*”) as a resource, but note that this will then allow assuming any other role you have in your source account. In such cases, you can consider using a separate “proxy” account for greater security.
  • 2.Modify the role policy for the Dynatrace Managed server
  • a.Login to the source AWS account, if not done in step 1
  • b.Go to IAM in your AWS Console
  • c.Select the role with which your Dynatrace Managed server is being started and go to the Permissions tab
  • d.In Permissions expand Inline Policies, and create a new inline policy there (follow the click here link)
  • e.In Set Permissions select Custom Policy
  • f.Create the policy with the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Resource": "arn:aws:iam::<12 digit source account number>:role/roleXassume"

}

]

}

  • Note: the roleXassume in the policy must match the policy you created in step 1c.
  • 3.Add configuration settings
  • a.On the Dynatrace Managed server change the config.properties section:

[vertical.topology]

aws_proxy_account = <12 digit source account number>

aws_proxy_role = roleXassume

  • Note: the roleXassume in the policy must match the policy you created in step 1c.
  • 4.Create a cross-account access role in the target account (similar as in the help documentation, but with a different account ID)
  • a.Login to the target AWS account
  • b.Go to IAM in your AWS Console
  • c.Go to Roles and create a new role
  • d.Select the Role for Cross-Account Access, then Allow IAM users from a 3rd party AWS account to access this account
  • e.Establish trust with your source account. Type the 12 digit source account number that can access the target account. Take note of the External ID, you’ll need it later.
  • f.Skip attaching existing policy by going to next step
  • g.In the Review page click Create Role
  • h.Select the just created role and go to the Permissions tab
  • i.In Permissions expand Inline Policies, and create a new inline policy there (follow the click here link)
  • j.In Set Permissions select Custom Policy
  • k.Create the policy with the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"autoscaling:Describe*",

"cloudwatch:Describe*",

"cloudwatch:Get*",

"cloudwatch:List*",

"ec2:Describe*",

"elasticloadbalancing:Describe*",

"rds:DescribeDBInstances",

"rds:List*",

"dynamodb:DescribeTable",

"dynamodb:ListTables",

"lambda:ListFunctions",

"lambda:GetFunction",

"elasticbeanstalk:DescribeEnvironments",

"elasticbeanstalk:DescribeEnvironmentResources",

"s3:List*",

"s3:Get*",

"sts:GetCallerIdentity"

],

"Resource": "*"

}

]

}

  • l.Optional step: After the target role is created, please select the role in the IAM roles section again and go to the “Trust Relationships” tab. Then click “Edit Trust Relationships” and change the permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Resource": [ "arn:aws:iam::<12 digit source account number>:role/roleXassume" ]

}

]

}

  • 5.Connect your Amazon account to Dynatrace Managed – as described in the help documentation

Best Regards,

Karolina

Can you clarify if these steps or for running Dynatarce Managed on-prem and trying to monitor AWS? Also can you tounch on how to apply the role to the security gateway in managed?

hamza_eljohri
Newcomer

Hello,

if these steps are for runnning Dynatrace Managed on-prem ?

Thanks in advance for your reply.

steve_neighbour
Newcomer

Will these instructions also work within Managed On Prem? I'm having the same problem

Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

Yes they should work for Managed as well. This is written in Karolina's procedure.

Senior Product Manager,
Dynatrace Managed expert

eduardo_ferraz2
Inactive

Will it work for Dynatrace SaaS?


It works the same way:

https://www.dynatrace.com/support/help/cloud-platforms/amazon-web-services/how-do-i-start-amazon-web-services-monitoring#enable-access-to-your-amazon-account


eduardo_ferraz2
Inactive

Thank you @James K.


michal_nalezin
Dynatrace Advisor
Dynatrace Advisor

Just FYI the help page How do I start Amazon Web Services monitoring has been updated recently