You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/integrations/guide/aws-integration-troubleshooting.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,6 +117,7 @@ If you are not seeing expected AWS metrics in Datadog, work through the followin
117
117
4.**Check whether the service requires additional enablement.** Some AWS services do not emit metrics to CloudWatch by default and require extra configuration in the AWS console. See [Which AWS services require additional setup beyond the core integration?][26] for a full list.
118
118
5.**Wait for the polling interval.** Allow at least one collection cycle before investigating further. See [Expected metric delays](#expected-metric-delays) for timing by collection method.
119
119
6.**Check for Service Control Policies (SCPs).** If your account is part of an AWS Organization, SCPs applied at the organization or organizational unit (OU) level can override IAM permissions and block API calls. Verify that no SCP denies the required permissions.
120
+
7.**Check for permissions boundaries.** A [permissions boundary][30] sets the maximum permissions a role can have. If the boundary does not include an action required by the Datadog integration, AWS returns `AccessDenied` for that action even when the integration role policy appears to grant it. In the AWS IAM console, open the integration role and check the **Permissions boundary** tab to see whether a boundary is attached.
120
121
121
122
### Wrong count of aws.elb.healthy_host_count
122
123
@@ -221,3 +222,4 @@ By default, host-level tags remain permanently attached to AWS hosts. If you wan
Copy file name to clipboardExpand all lines: content/en/integrations/guide/aws-manual-setup.md
+16Lines changed: 16 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -142,6 +142,21 @@ After configuring the role, return to the [AWS integration page][1] and save the
142
142
143
143
If your AWS account is part of an AWS Organization, [Service Control Policies][10] can block the integration even when the IAM role and trust policy are correct. See [Missing metrics][11] in the troubleshooting guide for details.
144
144
145
+
**Permissions boundaries:**
146
+
147
+
A [permissions boundary][12] sets the maximum permissions a role can have. Effective permissions are the intersection of the role's identity-based policies and the boundary policy. If the boundary does not include an action required by the Datadog integration, AWS returns `AccessDenied` for that action, and the integration tile may show `Datadog is not authorized to monitor some of your services` even when the integration role policy appears to grant the action.
148
+
149
+
To check whether a permissions boundary is attached to your integration role:
150
+
151
+
-**Console**: In the AWS IAM console, open the role, and check the **Permissions boundary** tab.
152
+
-**CLI**: Run the following command:
153
+
```
154
+
aws iam get-role --role-name <DATADOG-INTEGRATION-ROLE> \
To resolve the issue, coordinate with your IAM or security team to ensure the boundary policy includes the required Datadog integration actions.
159
+
145
160
<divclass="alert alert-danger">If there is a <code>Datadog is not authorized to perform sts:AssumeRole</code> error, follow the troubleshooting steps recommended in the UI, or read the <ahref="https://docs.datadoghq.com/integrations/guide/error-datadog-not-authorized-sts-assume-role/"target="_blank">troubleshooting guide</a>.</div>
146
161
147
162
\*{{% mainland-china-disclaimer %}}
@@ -157,6 +172,7 @@ If your AWS account is part of an AWS Organization, [Service Control Policies][1
0 commit comments