Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CloudWatch agent doesn't recognize presence of IAM Role

I'm trying to use the CloudWatch logs agent on a RedHat instance with an IAM role attached. The role has full access to CloudWatch. I installed and setup the agent using the instructions here:

http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html#running-ec2-step-2

Even though the IAM role is definitely attached to the instance, I keep seeing this message in /var/log/awslogs.log:

NoCredentialsError: Unable to locate credentials

When I run aws configure list, I can see the details for the IAM role.

  Name                    Value             Type           Location
  ----                    -----             ----           --------
 profile                <not set>           None           None
 access_key     ********************        iam-role
 secret_key     ********************        iam-role
 region                us-east-1            config-file    ~/.aws/config

Here is the contents of /var/awslogs/etc/aws.conf.

 [plugins]
 cwlogs = cwlogs
 [default]
 region = us-east-1

So why can't the CloudWatch logs agent find and use the IAM role?

like image 887
jcgrowley Avatar asked Aug 23 '17 18:08

jcgrowley


1 Answers

So after much banging my head against the wall, I finally figured out what my problem was. I'm using a proxy to enable the CloudWatch agent to communicate with CloudWatch, and I forgot to add NO_PROXY=169.254.169.254 to /var/awslogs/etc/proxy.conf. So when the agent attempted to query the metadata for information about the IAM role, it tried to go through the proxy to get it. Once I added the NO_PROXY in, it worked fine.

like image 108
jcgrowley Avatar answered Nov 01 '22 07:11

jcgrowley