Hi, I'm looking into How to use STS regional endpoints in Monitor Amazon Web Services with Amazon CloudWatch metrics.

Reading at the documentation, it seemed like it could be done.

https://www.dynatrace.com/support/help/shortlink/aws-monitoring-guide#monitoring-prerequisites

The AWS Security Token Service is a global endpoint by default. In case of using a regional endpoint, sts.<REGION>.amazonaws.com needs to be accessible.

Therefore, we built a Region STS Endpoint in the same Private subnet as EC2 where ActiveGate was set up. However, the connection is made to the default STS global endpoint, resulting in an error.

2023-07-26 06:48:04 UTC INFO [<xxx00000>] [<vtopology.provider>, PartitionAutoDetection] Updating partition: aws-cn -> aws, for credentials: AWS-monitoring [-xxxxxxxxxxxx]
2023-07-26 06:48:45 UTC WARNING [<xxx00000>] [<vtopology.provider>, AWSFastCheckCallable] Credentials refresh failed: {status: ERROR_BAD_CREDENTIALS, statusInfo: Service failed to assume role provided in credentials, credentials: AWSCredentialsImpl {identifier: ***********, accessKey: null, tenantUUID: xxx00000, iamRole: Dynatrace_monitoring_role, accountId: xxxxxxxxxxx, externalId: *****, label: AWS-monitoring, version: 2.0}, exception: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/209.54.177.164] failed: connect timed out}

We have confirmed that the communication between EC2 with ActiveGate and the Region STS endpoint is no problem.

I think I need to add or change some settings, but if anyone knows, please let me know.

Best regards,

Yuki Ito