This Quickstart shows you how to connect Stackdriver Monitoring to your Amazon Web Services (AWS) account. It also covers how to install the Stackdriver Monitoring and Logging agents on your EC2 instances.
Before you begin
You must have an AWS account that is not currently monitored by a Workspace. You cannot monitor an AWS account from more than one Workspace.
To disconnect an AWS account from a Workspace, see Removing a project from a Workspace.
Overview of steps
The following steps connect your AWS account to Monitoring:
Create a new Workspace in Cloud Platform. Get the Account ID and External ID that you will need for your AWS account.
Create an AWS Role using the Account ID and External ID.
Connect your Workspace and AWS account using the AWS Role. This creates a new AWS connector project.
Create a service account in the AWS connector project to authorize access to GCP.
Each of the preceding steps is described in detail in the following sections.
Next step: One of the following:
- Create a new Workspace (recommended).
- Connect an AWS account (if you want to use an existing Workspace).
Create a Workspace
To create a Workspace to use with your AWS account, do the following:
Go to the Stackdriver Monitoring console:
If you are not asked to create a Workspace immediately, then select Create Workspace from the Workspace drop-down list:
You see the Create your free Workspace page:
Click the text box Google Cloud Platform Project, select New Project and enter a project name, such as
Click Create Workspace. There is a pause while Stackdriver creates the new GCP project.
You see the page Add Google Cloud Platform projects to monitor. Click Continue, because you are not adding any GCP projects.
You see the page Monitor AWS accounts. In the instructions appearing on that page, look for an Account ID and an External ID, which are specific to your new Workspace. For example, you see:
Enter the following:
Account ID: a number
External ID: an ID string
Save these numbers, which you will need in the following section.
Click Skip AWS Setup at the bottom of the Monitor AWS accounts page to finish creating your Workspace.
You can skip through the following pages until you see Gathering information... and then Finished initial collection!
Next step: Creating an AWS role.
Creating an AWS role
To create the AWS role needed to authorize Stackdriver, do the following:
- Log into your AWS IAM console and click Roles in the left-side menu.
Click Create New Role and do the following:
- Select the role type Another AWS account.
- For Account ID, enter the account ID provided by Stackdriver.
- Check the box Require external ID.
- For External ID, enter the external ID provided by Stackdriver.
- Do not check Require MFA.
- Click Next: Permissions.
From the Policy name list, select ReadOnlyAccess, which is near the bottom of the long list:
Click Next: Review and fill in or verify the following information:
- For Role name, enter a name such as GoogleStackdriver.
- For Role description, enter anything you wish.
- The value of Trusted entities should be the Account ID entered earlier.
- The value of Policies should be ReadOnlyAccess.
Click Create Role in the AWS IAM page.
On the Summary page for your AWS role, copy the Role ARN string so that you can give it to Stackdriver. If you do not see the summary, click the name of your role (for example, GoogleStackdriver) in the list of AWS roles.
Next step: Connect your AWS account
Connecting an AWS account
To add an AWS account to an existing Workspace, do the following:
Go to the Stackdriver Monitoring console:
From the Workspace menu at the top of the page, select your Workspace. If you created a new Workspace as part of this Quickstart, then select that Workspace.
Click Workspace Settings at the bottom of the same Workspace menu. You should see a page like the following:
Click Monitored accounts under Settings. The panel in the following screenshot shows that you are monitoring a single GCP project—the Workspace's hosting project. There are not yet any AWS accounts being monitored.
Click Add AWS account. You see instructions for creating an AWS Role, and in those instructions are two important numbers: an Account ID and an External ID:
Enter the following:
Account ID: a number
External ID: an ID string
Below the instructions for creating an AWS Role, you see the following form:
If you followed the previous Quickstart instructions, then you should already have a Role ARN. If not, see Creating an AWS role or follow the instructions on the Add AWS account page to create the role.
Enter the following information into the preceding form:
- Role ARN: Enter your Role ARN from Creating an AWS role.
- Description of account: Enter a short description of your AWS account. The first word or two will be used to create a new project ID.
Click Add AWS account at the bottom of the form. In a moment, the connection is confirmed.
You can now leave the Workspace Settings page.
Next step: Authorizing AWS applications
If you are told that your AWS account is already being monitored, do the following:
If another Workspace is monitoring your AWS account, then you must remove your AWS account from it. You cannot monitor an AWS account from more than one Workspace. To disconnect an AWS account from a Workspace, see Removing a project from a Workspace.
This message can also appear if you did not use the correct Account ID and External ID from your present Workspace when you created your AWS Role. The External ID is different for each Workspace.
AWS connector projects
When you connect to an AWS account, Monitoring creates an AWS connector project for you. The Monitored accounts page in your Workspace Settings now includes the ID for this project:
Your AWS account description [YOUR_AWS_ACCOUNT_NUMBER]
Connected to [CONNECTOR_PROJECT_ID]
The connector project's ID always begins with aws-, and the project's name always begins with AWS Link.
The connector project is where you receive logs and metrics from your AWS account and where you set up authorization for agents and other AWS applications that need to access GCP.
Authorizing AWS applications
You must perform the following steps if you do any of the following:
- Run any of the Stackdriver agents on AWS VM instances.
- Use any Cloud Platform services from AWS applications.
To authorize applications running on AWS to access GCP services, give them access to a GCP service account that has suitable GCP IAM roles.
Create the service account in the AWS connector project for your AWS account. To find the connector project, see the Workspace Settings > Monitored accounts page of your Workspace.
A single service account can authorize multiple AWS VM instances and applications in the same AWS account, or you can create multiple service accounts.
Creating a service account
Service accounts are managed in the GCP Console, not in the Stackdriver Monitoring console.
To create the service account, go to the IAM & Admin > Service accounts page for your connector project:
Choose the AWS connector project (named
AWS Link...) for your AWS account.
Your connector project likely has no service accounts, so you are asked to create one. Click Create service account and enter the following information:
- Service account name:
Stackdriver agent authorization
- Role: Add both of the following:
- Monitoring > Monitoring Metric Writer
- Logging > Logs Writer
- Furnish a new private key: (checked)
- Key type: JSON
- Enable G Suite Domain-wide Delegation: (leave unchecked)
- Service account name:
Click Create. The service account's private-key file is downloaded to your workstation, with a name like
To make some of the following instructions simpler, save the location of the credentials file in variable
CREDSon your workstation:
Adding a service account to a VM instance
Copy the Stackdriver private-key credentials file on your workstation
to a location on your AWS EC2 instance. You must define the environment variable
GOOGLE_APPLICATION_CREDENTIALS to hold its path name:
From your workstation, copy the credentials file to your AWS EC2 instance and save in a file named
temp.json. In the
scpcommand, specify the path to
key.pem, your AWS scp key pair file, and provide your AWS credentials.
KEY="/path/to/key.pem" scp -i "$KEY" "$CREDS" AWS_USERNAME@AWS_HOSTNAME:temp.json
On your EC2 instance, move
$HOME/temp.json, to its final location. The following name and location is arbitrary:
GOOGLE_APPLICATION_CREDENTIALS="/etc/google/auth/application_default_credentials.json" sudo mkdir -p $(dirname $GOOGLE_APPLICATION_CREDENTIALS) sudo mv "$HOME/temp.json" "$GOOGLE_APPLICATION_CREDENTIALS"
(Optional) You might want to restrict access to the private-key credentials for the service account:
sudo chown root:root "$GOOGLE_APPLICATION_CREDENTIALS" sudo chmod 0400 "$GOOGLE_APPLICATION_CREDENTIALS"
Make sure the environment variable
GOOGLE_APPLICATION_CREDENTIALSis visible to the agents and other applications that should be authorized to use GCP. The environment variable name is understood by the standard GCP client libraries.
Installing the agents
(Optional) Install the Stackdriver Monitoring and Logging agents by running the following commands on your EC2 instance:
curl -sSO https://dl.google.com/cloudagents/install-monitoring-agent.sh sudo bash install-monitoring-agent.sh curl -sSO https://dl.google.com/cloudagents/install-logging-agent.sh sudo bash install-logging-agent.sh
To verify that the agents are running, use the following two commands:
ps ax | grep fluentd ps ax | grep collectd
[PROCESS_ID] ? Sl 0:00 /opt/google-fluentd/embedded/bin/ruby /usr/sbin/google-fluentd ... [PROCESS_ID] ? Ssl 0:00 /opt/stackdriver/collectd/sbin/stackdriver-collectd ...
Using Stackdriver services with AWS
This section shows you how to use Stackdriver services with your AWS account.
Creating uptime checks and alerting policies
Uptime checks verify that your web server is always accessible. The alerting policy controls who is notified if the uptime checks should fail. There are more details at Using Uptime Checks and Introduction to Alerting. Following are abbreviated instructions:
Go back to the Stackdriver Monitoring console.
If you see the invitation Create an Uptime Check on the dashboard, then click it. Otherwise, select Uptime Checks > Uptime Check Overview from the left menu and then click Add Uptime Check or Create an Uptime Check. You see the New Uptime Check panel:
Fill in the following fields for the uptime check:
- Resource Type: Choose from the menu of available resources
- Depending on the resource type, you might have other options.
Click Test to verify your uptime check is working.
Click Save. You see the following panel:
Click Create Alerting Policy in the preceding panel.
The Conditions section is already set up with your uptime check. You don't have to change it.
In the Notifications section, click Add Notification and fill in your email address.
In the Documentation section, click Add Documentation and enter:
AWS Quickstart example.
In the Name this policy section, you can accept the default
Uptime Check Policy.
Click Save Policy.
Display the metrics collected by Monitoring in your own charts and dashboards:
In the top menu of Stackdriver Monitoring console, select Dashboards > Create....
Click Add Chart. In the panel, select Metric. In the Find resource type and metric drop-down list, select an AWS metric.
In the new dashboard, change
AWS Quickstart dashboard.
Viewing your logs
Monitoring and Logging are closely integrated. In the Stackdriver Monitoring console left-side menu, choose Logging > AWS Link.... You see the Logs Viewer for your AWS connector project, which also holds your AWS logs. Change the Logs Viewer focus to see the logs you want:
Select Google Project > All project_id in the first drop-down menu. You should see at least one audit log from setting up your AWS connector project:
If you installed the Stackdriver Monitoring agent on your supported AWS VM instances, you might see other log options.
To avoid incurring charges to your GCP account for the resources used in this quickstart:
Remove your Stackdriver charts and alerts. In the Stackdriver Monitoring console:
- Delete your alerting policy from Alerting > Policy Overview.
- Delete your uptime check from Alerting > Uptime Checks.
- Delete your charts from Dashboards > AWS Quickstart example
In the Stackdriver Monitoring console, go to the Workspace Settings page for your Workspace,
aws-quickstart. In the Monitored accounts section, remove your AWS account.
In your Amazon account, delete the AWS IAM role that you created for the Quickstart.
In the Google Cloud Platform Console, delete your AWS connector project and—if you created it for this Quickstart—your Google Cloud Platform Project,
aws-quickstart. You delete a project by selecting the project, going to the IAM & Admin > Settings page, and clicking Delete Project at the top of the page.
To use the Monitoring API, see the API reference.
For more information on logging and its relation to monitoring, see Logging.