This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

AWS Integration cannot have non-default services added to the monitoring configuration

bsnurka
Dynatrace Advisor
Dynatrace Advisor

on ‎25 Jun 2025 05:26 PM

 

Summary

As part of the AWS Integration docs, especially for non-default AWS Services Monitoring, an EC2-based Environment ActiveGate capable of performing the sts:AssumeRole Task over the AWS IAM Role in the AWS Account wishing to be monitored is required.

 

Problem

 The IAM Role associated with the ActiveGate is unable to perform the sts:AssumeRole Task, leading to a lack of Metrics/Logs ingest for AWS Resources within the AWS Account.

 

Troubleshooting steps

With an incorrect configuration applied, there will be logs similar to the following found within the ActiveGate's SupportArchive.

 \log\dynatracegateway.0.0.log

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn‌‌sts::{AG-AWS-Account-Number}:assumed-role/{AG-Role-Name}/{AG-Instance-ID} is not authorized to perform: sts:AssumeRole on resource: arn‌‌iam::{Target-AWS-Account-Number}:role/{Target-Role-Name}(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: XXXX; Proxy: null)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)

Within the Dynatrace UI > Settings Classic > Cloud > AWS, there will be a warning stating that the given integration is "Running on Dynatrace provided infrastructure".

The AWS Integration cannot have non-default AWS Services added to the integration for monitoring.

 

Resolution

  1. Ensure the ActiveGate being used for the integration is deployed as an EC2 instance, and has the aws_monitoring_enabled set to true within the custom.properties file: https://docs.dynatrace.com/docs/shortlink/sgw-configure#aws-monitoring
  2. Confirm the Target AWS Account has the proper IAM Role deployed - dynatrace-monitoring-role
    1. Redeploy the linked CloudFormation Template as-needed.
  3. Confirm the IAM Policy attached to the ActiveGate matches the dynatrace-activegate-role
    1. From the ActiveGate's CLI  
      curl http://169.254.169.254/latest/meta-data/iam/info
    2. Redeploy the linked CloudFormation Template as-needed.
  4. Test the sts:AssumeRole task from the ActiveGate's CLI 
    1. aws sts assume-role --role-arn <ARN_of_monitoring_role> --role-session-name TestSession --external-id <external_id>
    2. The external_id can be found within the AWS Integration's config within the Dynatrace Settings.
  5. Confirm there is no AWS Service Control Policy configured which could be blocking the sts:AssumeRole task, especially if the ActiveGate is deployed in a different AWS Account + ORG than the Target AWS Account.

 

What's next

If this article did not help, please open a support ticket, mention that this article was used and provide the following in the ticket:

Labels:
Version history
Last update:
‎25 Jun 2025 09:37 AM
Updated by:
Dynatrace Guru