26 Jul 2023 08:28 AM
Hi, I'm looking into How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.
Reading at the documentation, it seemed like it could be done.
https://www.dynatrace.com/support/help/shortlink/aws-monitoring-guide#monitoring-prerequisites
The AWS Security Token Service is a global endpoint by default. In case of using a regional endpoint, sts.<REGION>.amazonaws.com needs to be accessible.
Therefore, we built a Region STS Endpoint in the same Private subnet as EC2 where ActiveGate was set up. However, the connection is made to the default STS global endpoint, resulting in an error.
2023-07-26 06:48:04 UTC INFO [<xxx00000>] [<vtopology.provider>, PartitionAutoDetection] Updating partition: aws-cn -> aws, for credentials: AWS-monitoring [-xxxxxxxxxxxx]
2023-07-26 06:48:45 UTC WARNING [<xxx00000>] [<vtopology.provider>, AWSFastCheckCallable] Credentials refresh failed: {status: ERROR_BAD_CREDENTIALS, statusInfo: Service failed to assume role provided in credentials, credentials: AWSCredentialsImpl {identifier: ***********, accessKey: null, tenantUUID: xxx00000, iamRole: Dynatrace_monitoring_role, accountId: xxxxxxxxxxx, externalId: *****, label: AWS-monitoring, version: 2.0}, exception: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/209.54.177.164] failed: connect timed out}
We have confirmed that the communication between EC2 with ActiveGate and the Region STS endpoint is no problem.
I think I need to add or change some settings, but if anyone knows, please let me know.
Best regards,
Yuki Ito
12 Feb 2024 07:13 PM
@yito were you able to get this resolved?
22 Mar 2024 08:09 AM
I'm sorry I had missed your message.
Actually, I haven't be able to resolved this yet. I would like to know how to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.