You are not authorized to perform this operation while monitoring instance has all permissions

[houdtbaar]

Hi,

I installed the aws plugin on Sensu-go backend version 5.15.0, build 13884593ee08a7f25d7f66a8b71da61c529de014, built 2019-11-19T20:18:33Z I have created a check. Added a IAM profile to the monitoring EC2 with all permissions and checked. I executes the describe-instance via the aws cli on the monitoring instance. When I do that I get a complete overview of all instances

When I installed the plugin, like bellow:

sensuctl asset add sensu-plugins/sensu-plugins-aws
sensuctl check create check-aws-instance-health --command 'check-instance-health.rb --aws-region eu-central-1' --interval 60 --subscriptions system,aws-ec2 --runtime-assets sensu-plugins/sensu-plugins-aws,sensu/sensu-ruby-runtime

I get the following error while executing an events. It seems like an IAM error but via the aws cli I have full access:

Check failed to run: You are not authorized to perform this operation., ["/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:incall'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in call'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/aws-sdk-core/plugins/idempotency_token.rb:17:incall'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/aws-sdk-core/plugins/param_converter.rb:24:in call'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/aws-sdk-core/plugins/response_paging.rb:10:incall'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/seahorse/client/plugins/response_target.rb:23:in call'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-core-3.50.0/lib/seahorse/client/request.rb:70:insend_request'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/aws-sdk-ec2-1.82.0/lib/aws-sdk-ec2/client.rb:13990:in describe_instances'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/bundler/gems/sensu-plugins-aws-5f04e0fd667e/bin/check-instance-health.rb:70:inrun'", "/var/cache/sensu/sensu-agent/c057951d33aa1d4e952b2f781df452e55ab4b5f39cedc250ae209bc6630858797ffb82fc8e445e7efe50b269ece46a3aa74e45e4c2da6b31d3d8a4dbfdd3012a/lib/ruby/2.4.0/gems/sensu-plugin-4.0.0/lib/sensu-plugin/cli.rb:59:in block in <class:CLI>'"]

I tried adding credentials in a ~/.aws/credentials file and a /opt/sensu/.aws/credentials file. Biut booth do not seem to work.

How can I solve this issue

[houdtbaar]

fixed need to add IAM role to all instances with the agent installed.