Quickstart for AWS

This quickstart shows you how to connect Stackdriver Monitoring to your Amazon Web Services (AWS) account. It also covers how to install the Monitoring and Logging agents on your EC2 instances.

Before you begin

You must have an AWS account that isn't currently monitored by a Workspace. You cannot monitor an AWS account from more than one Workspace.

To disconnect an AWS account from a Workspace, go to Removing a project from a Workspace.

Overview of steps

Adding an AWS account to a Workspace requires that you create a Google Cloud project to serve as the host project for the workspace. After the Workspace is created, you add the AWS account to the Workspace.

The following steps connect your AWS account to Monitoring:

  1. Create a new Google Cloud project.

  2. Create a new Workspace (recommended) or Connect an AWS account (if you want to use an existing Workspace).

  3. Identify your trusted account ID and external ID.

  4. Create an AWS role using the Account ID and External ID.

  5. Connect your Workspace and AWS account using the AWS Role to create a new AWS connector project.

  6. Create a service account in the AWS connector project to authorize access to Google Cloud.

Each of the preceding steps is described in detail in the following sections.

Configuring your Workspace

It is recommended that you Create a new Workspace for this quickstart. However, if you want to use an existing Workspace, skip ahead to Connect an AWS account.

In either case, be sure to get the Account ID and External ID that you need for your AWS account. For more information, go to Getting your account and external IDs.

Create a Google Cloud project

To create a Google Cloud project:

  1. In the Cloud Console, go to New Project.

    Create a New Project

  2. In the Project Name field, enter Quickstart.

  3. Click Create.

Create a Workspace

To create a Workspace for an existing Google Cloud project, do the following:

  1. Go to the Cloud Console:

    Go to Cloud Console

  2. In the menu bar, click the drop-down list next to the Google Cloud and select your Google Cloud project.

  3. Click Monitoring.

  4. If the Add your project to a Workspace dialog is displayed, create a new Workspace by selecting your Google Cloud project under New Workspace and then clicking Add. In the following image, the Google Cloud project name is Quickstart:

    Select workspace.

    The Add your project to a Workspace dialog is displayed only when you have at least one existing Workspace available to you. The Workspaces listed under Existing Workspace are Workspaces you've created or Workspaces for Google Cloud projects where you have editorial permission. Using this dialog, you can choose between creating a new Workspace and adding your project to an existing Workspace.

Next, Monitoring creates a new Workspace and adds your Google Cloud project to the Workspace. During Workspace creation, Monitoring proceeds through the following phases:

  1. Building your Workspace
  2. Enabling Stackdriver APIs
  3. We're still collecting data for your new Workspace

These phases might take several minutes to complete. When this process is complete, the Stackdriver Monitoring console displays the Monitoring Overview pane and a welcome message:

Overview and welcome message.

Get your account and external IDs

To identify the trusted account ID and external ID required by AWS:

  1. Go to the Stackdriver Monitoring console

    Go to Monitoring

  2. Next to the Stackdriver logo in the title bar, a Workspace name is displayed. If this isn't Quickstart, click on the drop-down list and select Quickstart.

  3. At the bottom of the Workspace menu, click Workspace Settings.

  4. Under Settings, click Monitored accounts.

  5. Click Add AWS account.

  6. Record the Account ID and External ID. You need this data to create your AWS Role.

  7. Click Cancel. You add your AWS account after you create your AWS role.

Creating an AWS role

To create your AWS role needed to authorize Stackdriver, you must have the Account ID and External ID for your Workspace. If you don't have them, follow the instructions in Getting your account and external IDs.

To create the AWS role, do the following:

  1. Log into your AWS IAM console and click Roles in the left-side menu.
  2. Click Create role and do the following:

    • For the Role type, select Another AWS account.
    • In the Account ID field, enter the account ID provided by Stackdriver.
    • Select the Require external ID checkbox.
    • In the External ID field, enter the external ID provided by Stackdriver.
    • Don't select Require MFA.
  3. Click Next: Permissions.

  4. From the Policy name drop-down list, select ReadOnlyAccess:

  5. Click Next: Tags.

  6. (Optional) Add metadata to the role by attaching tags as key–value pairs.

  7. Click Next: Review and fill in or verify the following information:

    • In the Role name field, enter a name such as GoogleStackdriver.
    • (Optional) In the Role description field, enter anything you wish.
    • In the Trusted entities field, verify it's the Account ID you entered earlier.
    • In the Policies field, verify the value is ReadOnlyAccess.
  8. In the AWS IAM page, click Create Role.

  9. On the Summary page, copy the Role ARN string so that you can give it to Stackdriver. If you don't see the summary, click the name of your role (for example, GoogleStackdriver) in the list of AWS roles.

Connecting an AWS account

To add an AWS account to an existing Workspace, do the following:

  1. In the Google Cloud Console, go to Monitoring:

    Go to Monitoring

  2. From the Workspace menu at the top of the page, select your Workspace. If you created a new Workspace as part of this Quickstart, then select that Workspace.

  3. At the bottom of the Workspace menu, click Workspace Settings.

  4. Under Settings, click Monitored accounts. The pane in the following screenshot shows that you are monitoring a single Google Cloud project—the Workspace's hosting project. You aren't yet monitoring any AWS accounts.

    Stackdriver monitored accounts.

  5. Click Add AWS account. Enter the Account ID and External ID from when you created a Workspace.

  6. Enter the following information in the form:

    • In the Role ARN field, enter your Role ARN from Creating an AWS role or follow the instructions on the Add AWS account page to create the role.
    • In the Description of account field, enter a short description of your AWS account. The first word or two is used to create a new project ID.

      Stackdriver AWS monitored accounts.

  7. Click Add AWS account. In a moment, the connection is confirmed.

AWS connector projects

When you connect to an AWS account, Monitoring creates an AWS connector project for you. The Monitored accounts page in your Workspace settings now includes the ID for this project:

Your AWS account description [YOUR_AWS_ACCOUNT_NUMBER]


  • [YOUR_AWS_ACCOUNT_NUMBER] represents the account number for your AWS account.
  • [CONNECTOR_PROJECT_ID] represents the connector project where you receive logs and metrics from your AWS account and where you set up authorization for agents and other AWS applications that need to access Google Cloud.

    The connector project's ID always begins with aws-, and the project's name always begins with AWS Link.

You can now close the Workspace Settings page.

Next step: Authorizing AWS applications


If you are told that your AWS account is already being monitored, do the following:

  • If another Workspace is monitoring your AWS account, then you must remove your AWS account from it. You cannot monitor an AWS account from more than one Workspace. To disconnect an AWS account from a Workspace, go to Removing a project from a Workspace.

  • This message can also appear if you didn't use the correct Account ID and External ID from your present Workspace when you created your AWS Role. The External ID is unique for each Workspace.

Authorizing AWS applications

You must perform the following steps if you do any of the following:

  • Run any of the Stackdriver agents on AWS VM instances.
  • Use any Google Cloud services from AWS applications.

To authorize applications running on AWS to access Google Cloud services, you give them access to a Google Cloud service account that has suitable Google Cloud IAM roles.

A single service account can authorize multiple AWS VM instances and applications in the same AWS account, or you can create multiple service accounts.

Create a service account

Service accounts are managed in the Cloud Console, not in the Stackdriver Monitoring console.

  1. To create the service account, go to the IAM & Admin > Service accounts page for your connector project:

    Go to Service accounts

  2. Select the AWS connector project (named AWS Link...) for your AWS account.

  3. Your connector project likely has no service accounts, so you are asked to create one. Click Create service account and enter the following information:

    • In the Service account name field, enter Stackdriver agent authorization.
    • In the Role field, add both of the following values:

      • Monitoring > Monitoring Metric Writer
      • Logging > Logs Writer
    • Select the Furnish a new private key checkbox.

    • For Key type, click JSON.

    • Clear the Enable G Suite Domain-wide Delegation checkbox.

      Create service account.

  4. Click Create. The service account's private-key file is downloaded to your workstation with a name such as Downloads/[PROJECT_NAME]-[KEY_ID].json.


    • [PROJECT_NAME] represents the name of your Google Cloud project.
    • [KEY_ID] represents the generated private key.

    To make the following instructions simpler, save the location of the credentials file in the variable CREDS on your workstation:


Add a service account to a VM instance

To add a service account, do the following:

  1. From your workstation, copy the Stackdriver private-key credentials file to your AWS EC2 instance and save it in a file named temp.json. In the scp command, specify the path to key.pem, your AWS SSH key pair file, and provide your AWS credentials:

    scp -i "$KEY" "$CREDS" AWS_USERNAME@AWS_HOSTNAME:temp.json
  2. On your EC2 instance, move the credentials to /etc/google/auth/application_default_credentials.json:

    sudo mkdir -p $(dirname "$GOOGLE_APPLICATION_CREDENTIALS")
  3. (Optional): Restrict access to the private-key credentials for the service account. For example:

    sudo chown root:root "$GOOGLE_APPLICATION_CREDENTIALS"
  4. Make sure the environment variable GOOGLE_APPLICATION_CREDENTIALS is visible to the agents and other applications that are authorized to use Google Cloud. The environment variable name is understood by the standard Google Cloud client libraries.

Install the agents

  1. (Optional): Install the Stackdriver Monitoring and Logging agents by running the following commands on your EC2 instance:

    curl -sSO https://dl.google.com/cloudagents/install-monitoring-agent.sh
    sudo bash install-monitoring-agent.sh
    curl -sSO https://dl.google.com/cloudagents/install-logging-agent.sh
    sudo bash install-logging-agent.sh --structured

    The --structured flag lets the Logging agent send structured data to Stackdriver Logging. For more information, go to Structured logging operations.

  2. Verify that the agents are running.

    ps ax | grep fluentd
    ps ax | grep collectd

    The expected output should be similar to the following:

    [PROCESS_ID] ?    Sl   0:00 /opt/google-fluentd/embedded/bin/ruby /usr/sbin/google-fluentd ...
    [PROCESS_ID] ?    Ssl  0:00 /opt/stackdriver/collectd/sbin/stackdriver-collectd ...

Using Stackdriver services with AWS

This section shows you how to use Stackdriver services with your AWS account.

Create an uptime check

Uptime checks verify that your web server is accessible from locations around the world. The alerting policy controls who is notified if the uptime checks should fail.

To create an alerting policy using that check, follow these steps:

  1. Go back to the Stackdriver Monitoring console:

    Go to Monitoring

  2. If you see the invitation Create an Uptime Check, click it. Otherwise, from the left menu, go to Uptime Checks > Uptime Checks Overview and then click Add Uptime Check or Create an Uptime Check.

  3. In the New Uptime Check window, fill in the following fields:

    • In the Title field, enterMy Uptime Check.
    • In the Check type drop-down list, select HTTP.
    • In the Resource Type drop-down list,choose an available resource
    • Depending on the select resource type, you might have other additional fields.

      Create an uptime check.

  4. To verify that your uptime check is working, click Test. If you see a Connection error - refused message, you either didn't install the Apache HTTP Server or you might have specified the HTTPS check type rather than HTTP. For other errors, go to Verify your uptime check.

  5. Click Save.

Create an alerting policy

  1. In the Uptime Check Created pane, click Create Alerting Policy:

    Uptime Check Created.

  2. In the Untitled Condition field, enter a title for the alert policy condition. All other fields in the conditions pane are automatically populated from the uptime check you created.

    Create Condition.

  3. Click Save.

  4. In the Notification Channel Type drop-down list, select Email.

    Create new Alerting Policy.

  5. Enter your email address and then click Add Notification Channel.

  6. In the Name this policy pane, enter My Uptime Check Policy.

  7. Click Save. You see a summary of the policy.

Create a dashboard and chart

To display the metrics collected by Monitoring in your own charts and dashboards, complete the following steps:

  1. Go to the Stackdriver Monitoring console

    Go to Monitoring

  2. Select Dashboards > Create dashboard.

  3. In the upper right-hand corner, click Add Chart.

  4. Click the Metric tab:

    Add chart blank.

  5. Under the heading Find resource type and metric, click the textbox and select an AWS metric.

  6. Click Save.

  7. In the new dashboard, change Untitled Dashboard to AWS Quickstart dashboard.

View your logs

Monitoring and Logging are closely integrated.

  1. In the Stackdriver Monitoring console left-side menu, go to Logging > AWS Link.
  2. The Logs Viewer for your AWS connector project, containes your AWS logs. To change the Logs Viewer focus to see the logs you want:

    • Go to Google Project > All project_id You should see at least one audit log from setting up your AWS connector project:

      AWS Logs Viewer.

    • If you installed the Stackdriver Monitoring agent on your supported AWS VM instances, you might see other log options.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.

  1. Remove your Stackdriver charts and alerts. In the Stackdriver Monitoring console:

    1. Delete your alerting policy from Alerting > Policy Overview.
    2. Delete your uptime check from Alerting > Uptime Checks.
    3. Delete your charts from Dashboards > AWS Quickstart example
  2. In the Stackdriver Monitoring console, go to the Workspace Settings page for your Workspace, aws-quickstart. In the Monitored accounts section, remove your AWS account.

  3. In your Amazon account, delete the AWS IAM role that you created for the quickstart.

  4. In the Google Cloud Console, delete your AWS connector project and—if you created it for this quickstart—your Google Cloud project, aws-quickstart. To delete a project, you select the project, go to IAM & Admin >Settings, and then at the top of the page click Delete Project.

What's next

  • Go to Supported metrics for a list of all the built-in metrics. There are over 500 metrics for Amazon AWS. If you want to create your own Monitoring metrics, go to Custom metrics.

  • To use the Monitoring API, go to the API reference.

  • For more information on logging and its relation to monitoring, go to Logging.

Czy ta strona była pomocna? Podziel się z nami swoją opinią:

Wyślij opinię na temat...

Stackdriver Monitoring
Potrzebujesz pomocy? Odwiedź naszą stronę wsparcia.