Lightstep’s metrics integration with Amazon allows you to send metrics and metadata tags into Lightstep. Lightstep supports metrics from ECS, EC2, RDS, ElastiCache, ELB and ApplicationELB CloudWatch namespaces. You can add EC2 resource tags and other useful EC2 metadata as labels to any metric from an EC2 container, and you can also add ECS, RDS, ElastiCache, ELB, and ApplicationELB resource tags as labels to CloudWatch metrics.

You need to create an AWS role and policy for Lightstep and then grant Lightstep read-only access to your metrics and tags. If you use Terraform, use the snippet below to grant Lightstep access. Or you can do it manually.

Use a Terraform Snippet to Integrate

The Terraform snippet creates the LightstepAWSIntegrationRole role and the associated LightstepAWSIntegrationPolicy policy that grant Lightstep access to AWS.

Requirements

You need the following to use the snippet:

  • AWS CLI tool
  • Locally configured AWS credentials
  • [Optional] For an added layer of security, we recommend that you use an external ID (a randomly generated alphabetical string). You will need to provide Lightstep with this string upon completion of the setup process.

Use the Terraform Snippet

  1. Download the snippet and replace [add id here] with the external ID.

  2. Run terraform apply.

  3. To complete the integration, contact your Technical Account Manager (Slack channel or email) and include the following information:

    • The external ID, if created.
    • The ARN of the newly created role.

Manually Integrate

You need to create a role and policy for Lightstep to access AWS.

  1. Create a role for Lightstep to use to access metrics.
    In the AWS IAM Console, navigate to Access Management > Roles, and select Create role.AWS IAM console

  2. For the type of trusted entity, select Another AWS Account.
  3. For Account ID, enter the Lightstep Account ID:
    297975325230.
  4. [Optional] For an added layer of security, we recommend that you check Require external ID and provide a randomly generated alphabetical string. You will need to provide Lightstep with this string upon completion of the setup process.
  5. Click Next: Permissions.
  6. Create a policy for Lightstep access. If a policy already exists, select the policy name from the list. Otherwise, click Create Policy.
  7. To grant Lightstep read-only access to the metrics, metadata, and tags, select the JSON tab and enter the following snippet .

    This list may change with future improvements and integration releases.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    
     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
             "tag:GetResources",
             "ec2:DescribeInstances",
             "cloudwatch:GetMetricData",
             "ec2:DescribeRegions",
             "cloudwatch:ListMetrics"
           ],
           "Resource": "*"
         }
       ]
     }
    
  8. Click Review policy.
  9. Name the policy LightstepAWSIntegrationPolicy or choose a similarly descriptive name. Provide a suitable description if you wish.
  10. Click Create policy. You can close this window and return to the creating a role flow.
  11. Refresh the list of policies and select the policy you just created.
  12. Click Next: Tags.
    Add any descriptive tags for the role that your organization requires. Click Next: Review.
  13. Name the role LightstepAWSIntegrationRole or choose a similarly descriptive name and provide a description if you wish. Click Create Role.
  14. To complete the integration, contact your Technical Account Manager (Slack channel or email) and include the following information:
    • The external ID chosen in step 4, if created.
    • The Role ARN located in the Summary of the role.