Fix cloudwatch output requires unneeded permissions (#3335)

This commit is contained in:
Adam Johnson 2017-10-13 19:04:40 +01:00 committed by Daniel Nelson
parent 0f9f757da7
commit bf9f94eb9d
2 changed files with 10 additions and 8 deletions

View File

@ -13,6 +13,8 @@ API endpoint. In the following order the plugin will attempt to authenticate.
5. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file) 5. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file)
6. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) 6. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
The IAM user needs only the `cloudwatch:PutMetricData` permission.
## Config ## Config
For this output plugin to function correctly the following variables For this output plugin to function correctly the following variables

View File

@ -9,6 +9,7 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/cloudwatch" "github.com/aws/aws-sdk-go/service/cloudwatch"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
internalaws "github.com/influxdata/telegraf/internal/config/aws" internalaws "github.com/influxdata/telegraf/internal/config/aws"
@ -71,21 +72,20 @@ func (c *CloudWatch) Connect() error {
} }
configProvider := credentialConfig.Credentials() configProvider := credentialConfig.Credentials()
svc := cloudwatch.New(configProvider) stsService := sts.New(configProvider)
params := &cloudwatch.ListMetricsInput{ params := &sts.GetSessionTokenInput{}
Namespace: aws.String(c.Namespace),
}
_, err := svc.ListMetrics(params) // Try a read-only call to test connection. _, err := stsService.GetSessionToken(params)
if err != nil { if err != nil {
log.Printf("E! cloudwatch: Error in ListMetrics API call : %+v \n", err.Error()) log.Printf("E! cloudwatch: Cannot use credentials to connect to AWS : %+v \n", err.Error())
return err
} }
c.svc = svc c.svc = cloudwatch.New(configProvider)
return err return nil
} }
func (c *CloudWatch) Close() error { func (c *CloudWatch) Close() error {