Question:
I’m trying to use the CloudWatch logs agent on a RedHat instance with an IAM role attached. The role has full access to CloudWatch. I installed and setup the agent using the instructions here:
Even though the IAM role is definitely attached to the instance, I keep seeing this message in /var/log/awslogs.log:
NoCredentialsError: Unable to locate credentials
When I run aws configure list, I can see the details for the IAM role.
|
1 2 3 4 5 6 7 |
Name Value Type Location ---- ----- ---- -------- profile access_key ******************** iam-role secret_key ******************** iam-role region us-east-1 config-file ~/.aws/config |
Here is the contents of /var/awslogs/etc/aws.conf.
|
1 2 3 4 5 |
[plugins] cwlogs = cwlogs [default] region = us-east-1 |
So why can’t the CloudWatch logs agent find and use the IAM role?
Answer:
So after much banging my head against the wall, I finally figured out what my problem was. I’m using a proxy to enable the CloudWatch agent to communicate with CloudWatch, and I forgot to add NO_PROXY=169.254.169.254 to /var/awslogs/etc/proxy.conf. So when the agent attempted to query the metadata for information about the IAM role, it tried to go through the proxy to get it. Once I added the NO_PROXY in, it worked fine.