Telegraf unable to write metrics to CloudWatch with IMDSv1 disabled #7371

anilkun · 2020-04-19T03:58:02Z

Hi Team,

I have an EC2 instance where AWS IMDSV1 is disabled and AWS IMDSV2 is enabled for security reasons. The instance is attached with IAM role with enough privileges. When I deploy telegraf with cloudwatch output plugin, telegraf is unable to write metrics to CloudWatch because it cannot find aws credentials or config file. I tried with providing role_arn and profile but the issue persists.

Relevant telegraf.conf:

[[outputs.cloudwatch]]
region = "us-west-2"
namespace = "test"
role_arn = ""

System info:

Ubuntu 18.04

Steps to reproduce:

Disable AWS IMDSV1 on an EC2 instance
Configure telegraf cloudwatch output plugin
Attach IAM role to EC2 instance
Start telegraf

Actual behavior:

systemctl status telegraf
● telegraf.service - The plugin-driven server agent for reporting metrics into InfluxDB
   Loaded: loaded (/lib/systemd/system/telegraf.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-04-19 03:52:07 UTC; 1min 54s ago
     Docs: https://github.com/influxdata/telegraf
 Main PID: 12607 (telegraf)
    Tasks: 11 (limit: 4451)
   CGroup: /system.slice/telegraf.service
           └─12607 /usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d

Apr 19 03:52:07 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:52:07Z D! [agent] Initializing plugins
Apr 19 03:52:07 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:52:07Z D! [agent] Connecting outputs
Apr 19 03:52:07 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:52:07Z D! [agent] Attempting connection to [outputs.cloudwatch]
Apr 19 03:52:07 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:52:07Z D! [agent] Successfully connected to outputs.cloudwatch
Apr 19 03:52:07 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:52:07Z D! [agent] Starting service inputs
Apr 19 03:54:00 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:54:00Z E! CloudWatch: Unable to write to CloudWatch : NoCredentialProviders: no valid providers in chain. Deprecated.
Apr 19 03:54:00 ip-xxx-xx-x-xxx telegraf[12607]:         For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Apr 19 03:54:00 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:54:00Z D! [outputs.cloudwatch] Buffer fullness: 6 / 10000 metrics
Apr 19 03:54:00 ip-xxx-xx-x-xxx telegraf[12607]: 2020-04-19T03:54:00Z E! [agent] Error writing to outputs.cloudwatch: NoCredentialProviders: no valid providers in chain. Deprecated.
Apr 19 03:54:00 ip-xxx-xx-x-xxx telegraf[12607]:         For verbose messaging see aws.Config.CredentialsChainVerboseErrors

The text was updated successfully, but these errors were encountered:

…disabled AWS GO SDK released support for AWS Metadata service v2 as SDK enhancement from [Release](https://github.com/aws/aws-sdk-go/blob/master/CHANGELOG.md#release-v12538-2019-11-19) The current AWS SDK version used in cloud watch output plugin has to updated to version >= 1.25.38 to have support for IMDSV2

danielnelson added area/aws AWS plugins including cloudwatch, ecs, kinesis bug unexpected problem or unintended behavior labels Apr 20, 2020

anilkun mentioned this issue Apr 20, 2020

Fix #7371 aws cloudwatch cannot write metrics if imdsv1 is disabled #7373

Merged

3 tasks

danielnelson closed this as completed in #7373 Apr 20, 2020

danielnelson added this to the 1.15.0 milestone Apr 20, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Telegraf unable to write metrics to CloudWatch with IMDSv1 disabled #7371

Telegraf unable to write metrics to CloudWatch with IMDSv1 disabled #7371

anilkun commented Apr 19, 2020

Telegraf unable to write metrics to CloudWatch with IMDSv1 disabled #7371

Telegraf unable to write metrics to CloudWatch with IMDSv1 disabled #7371

Comments

anilkun commented Apr 19, 2020

Relevant telegraf.conf:

System info:

Steps to reproduce:

Actual behavior: