CODEWITHSUNDEEP
amazon-web-servicesamazon-cloudwatch
rahuls36
rahuls36

Reputation: 15

How to access cloud watch metrics of cross account using AWS CLI

I am trying to access metrics of CloudWatch (secondary account) using the AWS CLI, but I am not able to.

I have followed the Cross-Account Cross-Region CloudWatch Console - Amazon CloudWatch documentation where I can access them from GUI but not from CLI.

Upvotes: 0

Views: 1905

Answers (2)

Daniel Rocco
Daniel Rocco

Reputation: 121

It is possible to request cross-account shared metrics via the HTTP API to CloudWatch. Here is an example that fetches the last 3 hours of 5XX errors from a load balancer, assuming

  • AWS account 123456789012 is the source of the metrics (where the load balancer lives)
  • the script is run with credentials in the destination account that receives metric data from the source account

awscurl handles the request signing duties:

#!/bin/bash

# now as a Unix timestamp 
end=$(date +%s)

# 3 hours before now as a Unix timestamp
start=$(($end - 10800))

query='{
    "Defaults": {
        "Period": 60,
        "Stat": "Sum",
        "Range": {
            "StartTime": '$start',
            "EndTime": '$end'
        }
    },
    "Metrics": [
        {
            "Id": "m1",
            "Alias": "m1",
            "AccountId": "123456789012",
            "Region": "us-east-1",
            "Namespace": "AWS/ApplicationELB",
            "MetricName": "HTTPCode_Target_5XX_Count",
            "Dimensions": [
                {
                    "Name": "LoadBalancer",
                    "Value": "app/MyLoadBalancerName/1234567890abcdef"
                }
            ],
            "ReturnData": true
        }
    ]
}'

awscurl \
    --service 'monitoring' \
    -H "x-amz-target: CloudWatchVersion20130116.GetMetricData" \
    -H "Content-Type: application/x-amz-json-1.0" \
    -H "Accept: */*" \
    -X POST \
    -d "$query" \
    https://monitoring.us-east-1.amazonaws.com

Example response:

{
  "Defaults": {
    "ListElement": false,
    "StatusCode": "Complete",
    "Timestamps": [
      1654104960,
      ...
    ]
  },
  "Messages": [],
  "MetricData": [
    {
      "AccountId": "123456789012",
      "Alias": "m1",
      "Label": "HTTPCode_Target_5XX_Count",
      "ListElement": false,
      "Unit": "Count",
      "Values": [
        1,
        ...
      ]
    }
  ]
}

You can call AWS STS with awscurl to ensure you have the correct credentials and help diagnose any permission issues if they arise:

$ awscurl \
    --service 'sts' \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -X POST \
    -d "Action=GetCallerIdentity&Version=2011-06-15" \
    https://sts.amazonaws.com

<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::222222222222:assumed-role/mymetricrole/[email protected]</Arn>
    <UserId>AROAEXAMPLE123456789A:[email protected]</UserId>
    <Account>222222222222</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>12345678-90ab-cdef-1234-567890abcdef</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>

Upvotes: 0

Marcin
Marcin

Reputation: 238199

For CLI and SDK you would use cross-account roles for that.

It would work in two steps:

  1. The Account 2 creates an assumable role which allows Account 1 to assume it in its trust policy. The role would also allow needed permissions to access the CW metrics.
  2. IAM user or role in Account 1 would assume the role from Account 2 and access the metrics.

Using CLI you would have to use sts assume-role call to assume the Account 2's role. The call to the sts would return a set of temporary AWS credentials. By using these credentials you would be able to access the metrics from Account 2.

Upvotes: 2

Related Questions