Skip to content

Commit bbbfd3f

Browse files
authored
[DOCS-14551] Add permissions boundary troubleshooting to AWS manual setup and troubleshooting guides (#37306)
1 parent 51c59c4 commit bbbfd3f

2 files changed

Lines changed: 18 additions & 0 deletions

File tree

content/en/integrations/guide/aws-integration-troubleshooting.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,7 @@ If you are not seeing expected AWS metrics in Datadog, work through the followin
117117
4. **Check whether the service requires additional enablement.** Some AWS services do not emit metrics to CloudWatch by default and require extra configuration in the AWS console. See [Which AWS services require additional setup beyond the core integration?][26] for a full list.
118118
5. **Wait for the polling interval.** Allow at least one collection cycle before investigating further. See [Expected metric delays](#expected-metric-delays) for timing by collection method.
119119
6. **Check for Service Control Policies (SCPs).** If your account is part of an AWS Organization, SCPs applied at the organization or organizational unit (OU) level can override IAM permissions and block API calls. Verify that no SCP denies the required permissions.
120+
7. **Check for permissions boundaries.** A [permissions boundary][30] sets the maximum permissions a role can have. If the boundary does not include an action required by the Datadog integration, AWS returns `AccessDenied` for that action even when the integration role policy appears to grant it. In the AWS IAM console, open the integration role and check the **Permissions boundary** tab to see whether a boundary is attached.
120121

121122
### Wrong count of aws.elb.healthy_host_count
122123

@@ -221,3 +222,4 @@ By default, host-level tags remain permanently attached to AWS hosts. If you wan
221222
[27]: /integrations/amazon_elb/
222223
[28]: https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/overview.html
223224
[29]: https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html
225+
[30]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

content/en/integrations/guide/aws-manual-setup.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,21 @@ After configuring the role, return to the [AWS integration page][1] and save the
142142

143143
If your AWS account is part of an AWS Organization, [Service Control Policies][10] can block the integration even when the IAM role and trust policy are correct. See [Missing metrics][11] in the troubleshooting guide for details.
144144

145+
**Permissions boundaries:**
146+
147+
A [permissions boundary][12] sets the maximum permissions a role can have. Effective permissions are the intersection of the role's identity-based policies and the boundary policy. If the boundary does not include an action required by the Datadog integration, AWS returns `AccessDenied` for that action, and the integration tile may show `Datadog is not authorized to monitor some of your services` even when the integration role policy appears to grant the action.
148+
149+
To check whether a permissions boundary is attached to your integration role:
150+
151+
- **Console**: In the AWS IAM console, open the role, and check the **Permissions boundary** tab.
152+
- **CLI**: Run the following command:
153+
```
154+
aws iam get-role --role-name <DATADOG-INTEGRATION-ROLE> \
155+
--query 'Role.{PermissionsBoundary:PermissionsBoundary,RoleName:RoleName}'
156+
```
157+
158+
To resolve the issue, coordinate with your IAM or security team to ensure the boundary policy includes the required Datadog integration actions.
159+
145160
<div class="alert alert-danger">If there is a <code>Datadog is not authorized to perform sts:AssumeRole</code> error, follow the troubleshooting steps recommended in the UI, or read the <a href="https://docs.datadoghq.com/integrations/guide/error-datadog-not-authorized-sts-assume-role/" target="_blank">troubleshooting guide</a>.</div>
146161

147162
\*{{% mainland-china-disclaimer %}}
@@ -157,6 +172,7 @@ If your AWS account is part of an AWS Organization, [Service Control Policies][1
157172
[9]: /integrations/guide/error-datadog-not-authorized-sts-assume-role/
158173
[10]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
159174
[11]: /integrations/guide/aws-integration-troubleshooting/#missing-metrics
175+
[12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
160176
{{% /tab %}}
161177
{{% tab "Access keys" %}}
162178

0 commit comments

Comments
 (0)