Our current instances use this deprecated method of collecting metrics https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-scripts-intro.html
It's basically a cron job that runs a command to send data to cloudwatch
mon-put-instance-data.pl --mem-used --mem-util --disk-space-util --disk-path=/ --from-cron
It uses credentials from awscreds.conf the contents of which have this format
AWSAccessKeyId=ABCD
AWSSecretKey=SDSDFSDF
We want to move to using cloudwatch agent for 2 reasons
- The agent has better capabilities in terms of data collection
- Since keys have to be rotated every 90 days it's cumbersome to replace the key and secret in
awscreds.conf every 90 days.
While going through the doc for installing and configuring the cloudwatch agent I came across https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-cloudwatch-agent-configuration-file-wizard.html
which mentions putting the secret and key in aws config file.
My question is, if I'm already attaching an IAM role to the EC2 as described in https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent-commandline.html why do I need to add secret and key for authentication?
Is there a way for sending metrics without using secret and key?
