Lightstep’s metrics integration with Amazon allows you to send metrics and metadata tags into Lightstep. Lightstep supports metrics from the following AWS products:

  • API Gateway
  • ApplicationELB
  • DynamoDB
  • ECS
  • EC2
  • ELB
  • ElastiCache
  • Elastic File System
  • Kinesis
  • Lambda
  • S3
  • SNS
  • SQS
  • RDS

You can add EC2 resource tags and other useful EC2 metadata as labels to any metric from an EC2 container, and you can also add ECS, RDS, ElastiCache, ELB, and ApplicationELB resource tags as labels to CloudWatch metrics.

In order to take full advantage of Lightstep’s Change Intelligence features, tag your resources with an appropriate service.name tag.

AWS Tag Management

You need to create an AWS role and policy for Lightstep and then grant Lightstep read-only access to your metrics and tags. If you use Terraform, use the snippet below to grant Lightstep access. Or you can do it manually.

Use a Terraform Snippet to Integrate

The Terraform snippet creates the LightstepAWSIntegrationRole role and the associated LightstepAWSIntegrationPolicy policy that grant Lightstep access to AWS.

Requirements

You need the following to use the snippet:

  • AWS CLI tool
  • Locally configured AWS credentials
  • [Optional] Terraform
  • [Optional] For an added layer of security, we recommend that you use an external ID (a randomly generated alphabetical string). You will need to provide Lightstep with this string upon completion of the setup process.

Download and Run the Terraform Snippet

  1. Download the snippet and replace [add id here] with the external ID.

  2. Run terraform apply.

  3. To complete the integration, contact your Technical Account Manager (Slack channel or email) and include the following information:

    • The external ID, if created.
    • The ARN of the newly created role.

Manually Integrate

You need to create a role and policy for Lightstep to access AWS.

You can also use the Amazon Command Line Interface to create the role and policy.

  1. Create a role for Lightstep to use to access metrics.
    In the AWS IAM Console, navigate to Access Management > Roles, and select Create role.AWS IAM console

  2. For the type of trusted entity, select Another AWS Account.
  3. For Account ID, enter the Lightstep Account ID:
    297975325230.
  4. [Optional] For an added layer of security, we recommend that you check Require external ID and provide a randomly generated alphabetical string. You will need to provide Lightstep with this string upon completion of the setup process.
  5. Click Next: Permissions.
  6. Click Create Policy to create a policy for Lightstep access.
    A new browser window opens.

    If a policy already exists, skip to Step 11.

  7. To grant Lightstep read-only access to the metrics, metadata, and tags, select the JSON tab and enter the following snippet .

    This list may change with future improvements and integration releases.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "tag:GetResources",
        "ec2:DescribeInstances",
        "cloudwatch:GetMetricData",
        "ec2:DescribeRegions",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*"
    }
  ]
}
  1. Click Next: Tags.
    Add any descriptive tags for the policy that your organization requires. Click Next: Review.
  2. Name the policy LightstepAWSIntegrationPolicy or choose a similarly descriptive name. Provide a suitable description if you wish.
  3. Click Create policy.
    Close this window and then return to the Policy list in the Create Role flow. Click the Refresh button to see the new policy.
  4. Select the new policy from the list.
  5. Click Next: Tags.
    Add any descriptive tags for the role that your organization requires. Click Next: Review.
  6. Name the role LightstepAWSIntegrationRole or choose a similarly descriptive name and provide a description if you wish. Click Create Role.
  7. To complete the integration, contact your Technical Account Manager (Slack channel or email) and include the following information:
    • The external ID chosen in step 4, if any.
    • The Role ARN located in the Summary of the role. Please be sure to send the Role ARN and not the not the Policy ARN.
    • The AWS products to pull metrics from. Choose from: API Gateway, ECS, EC2, RDS, Load Balancers, Elasticache, DynamoDB, Elastic File System, Kinesis, Lambda, S3, SNS and SQS. (Default is all)
    • Any AWS products not listed above that you want to send CloudWatch metrics from.
    • The polling interval to use for Lightstep to pull metrics from CloudWatch, from 1 minute to 15 minutes (the default).
    • The name or URL of the Lightstep project you want metrics sent to.