Hello, I have two AWS accounts, A and B, and I'm trying to setup the Cloudwatch Exporter in A to scrape CW metrics from B, but I'm running into an issue getting it to actually gather the metrics. The error I'm getting is the following:
java: WARNING: CloudWatch scrape failed java: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: x-x-x; Proxy: null) I'm running the CW Exporter on an ec2-instance in account A. The instance has an IAM role with the appropriate permissions, including the policy to assume a role in account B with the appropriate permissions for the exporter. Scraping the metrics within A is successful, scraping the CW metrics of account B from account A with the assumed role is unsuccessful. I use the same assumed role for account A for our Grafana to scrape CW on account B and that works correctly. Not sure why it doesn't work for the CW exporter. The credentials are obtained from the ec2-instance's role, no access keys are kept on the instances. I would think that once the role is assumed for the exporter, it would be able to get the credentials appropriately. Is there something I'm missing? -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d63132a1-91eb-4546-b79c-e788fbd28e91n%40googlegroups.com.
