Aws Eks trying to enable cloud insights using Ruy on rails getting exceeption

Dear AWS Support Team,

I am encountering several issues with the Amazon CloudWatch agent running on an EC2 instance, leading to configuration validation failures and permission denials for sts:AssumeRoleWithWebIdentity. Despite following the documentation for setup and configuration, I have been unable to resolve these issues. Below are the details of the problems and the steps I have taken so far:

Configuration File Absence: The CloudWatch agent attempts to read a default configuration from /opt/aws/amazon-cloudwatch-agent/bin/default_linux_config.json, which appears to be missing or inaccessible. Although it subsequently reads the configuration from /etc/cwagentconfig/cwagentconfig.json, I'm concerned about the initial failure.

ECS Metadata Access Failure: The agent attempts to detect if it is running within an ECS environment by accessing the ECS task metadata endpoint but fails due to timeouts. This is expected to some extent since the environment is EC2, not ECS, but it contributes to my concern about whether the agent is correctly identifying its runtime environment.

Permission Issues with sts:AssumeRoleWithWebIdentity: The most critical issue involves repeated failures to describe EC2 tags, with errors indicating AccessDenied for the sts:AssumeRoleWithWebIdentity action. The exact error message is as follows:

Describe EC2 Tag Fail. Will retry the request: WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403, request id: [various request IDs] These errors persist despite several retries with exponential backoff, indicating a fundamental issue with IAM permissions or the trust relationship configuration for the role assumed by the CloudWatch agent.

Configuration Validation Error: The operation ends with a configuration validation error, hinting at potential issues with the agent's configuration file or unsupported features due to the agent version.

Troubleshooting Steps Taken:

Verified the existence and syntax of the CloudWatch agent configuration file at /etc/cwagentconfig/cwagentconfig.json. Checked the IAM role associated with the EC2 instance to ensure it includes permissions for CloudWatch and STS actions, particularly sts:AssumeRoleWithWebIdentity. Considered network access issues and permissions as potential culprits for the inability to access ECS metadata, though this should not impact the primary operation in an EC2 context. Assistance Required:

Topics

Management & Governance Containers

Relevant content

Issue with AWS CloudWatch Agent
rePost-User-olmec
asked 7 months ago
Using extended agent configuration with CloudWatch Observability EKS add-on
tgraupne
asked 20 days ago
How to setup cloudwatch agent on EC2 instance running with ubuntu
Accepted Answer
Arun Kumar Subburaj
asked 4 months ago
EC2 instance centos7 running on a VPC- Cannot start Amazon Cloudwatch Agent.
Cuong-Huynh-SP
asked 2 years ago
How do I install AWS Systems Manager Agent (SSM Agent) on an Amazon EC2 Windows instance at launch?
AWS OFFICIALUpdated a year ago
How do I troubleshoot setup issues when I integrate Fluent Bit with Container Insights for Amazon EKS?
AWS OFFICIALUpdated a month ago
How do I turn on Container Insights metrics on an Amazon EKS cluster?
AWS OFFICIALUpdated 9 months ago
How can I use launch templates to automatically install the CodeDeploy agent on an Amazon EC2 instance running Amazon Linux or Ubuntu?
AWS OFFICIALUpdated 3 months ago
Migrate from MySQL running on VMware Cloud on AWS to Amazon Aurora using AWS Database Migration Service (DMS)
EXPERT
Koichi Takeda
published 6 months ago
Support Automation Workflow (SAW) Runbook: Troubleshoot Amazon CloudWatch Agent
EXPERT
Maya Karalic
published a year ago