Hello,
I have been looking into having a single Zabbix instance monitor multiple AWS accounts using the "AWS by HTTP" module (https://www.zabbix.com/integrations/aws). I was hoping I can have a aws role setup on each of these proxies and have "AWS by HTTP" make the call through the proxies (assuming the role of the account tied to that proxy). However I am unable to get "AWS by HTTP" to do that. I have a custom script as part of another template that makes use of these roles on the proxies successfully, but for some reason "AWS by HTTP" fails with:
{"error":"Request failed with status code 403: <?xml version="1.0" encoding="UTF-8"?>\n<Response><Errors><Error><Code>Unauthoriz ed Operation</Code><Message>You are not authorized to perform this operation. User: <some-role-arn-not-the-one-i-expect-to-see-here> is not authorized to perform: ec2
escribeRegions because no identity-based policy allows the ec2escribeRegions action</Message></Error></Errors><RequestID>some request id</RequestID></Response>."}
That to me shows that the "AWS by HTTP" request isn't made from the proxy even tho I set it when doing a "Test" in one of the Discovery Rules (because the arn mentioned is not the one we have set on the proxy). Not sure.
Looking closer at https://www.zabbix.com/integrations/aws we can see there is a `AWS.PROXY` variable with barely any documentation, quickly trying to set this to the zabbix-proxy-mysql ip
ort we get a new error:
{"error":"Error: cannot get URL: Server returned nothing (no headers, no data)."}
I know the proxy and the server are communicating, I know they are the same version. I am able to have custom scripts fire on the proxy and use the aws role set for that proxy.
Would anyone have an idea on how to have "AWS by HTTP" make the request from one of the proxies or what I am doing wrong? Or maybe another approach to having multiple aws accounts monitored via "AWS by HTTP" on a single Zabbix instance (but maybe multiple proxies)?
I have been looking into having a single Zabbix instance monitor multiple AWS accounts using the "AWS by HTTP" module (https://www.zabbix.com/integrations/aws). I was hoping I can have a aws role setup on each of these proxies and have "AWS by HTTP" make the call through the proxies (assuming the role of the account tied to that proxy). However I am unable to get "AWS by HTTP" to do that. I have a custom script as part of another template that makes use of these roles on the proxies successfully, but for some reason "AWS by HTTP" fails with:
{"error":"Request failed with status code 403: <?xml version="1.0" encoding="UTF-8"?>\n<Response><Errors><Error><Code>Unauthoriz ed Operation</Code><Message>You are not authorized to perform this operation. User: <some-role-arn-not-the-one-i-expect-to-see-here> is not authorized to perform: ec2
escribeRegions because no identity-based policy allows the ec2escribeRegions action</Message></Error></Errors><RequestID>some request id</RequestID></Response>."}That to me shows that the "AWS by HTTP" request isn't made from the proxy even tho I set it when doing a "Test" in one of the Discovery Rules (because the arn mentioned is not the one we have set on the proxy). Not sure.
Looking closer at https://www.zabbix.com/integrations/aws we can see there is a `AWS.PROXY` variable with barely any documentation, quickly trying to set this to the zabbix-proxy-mysql ip
ort we get a new error:{"error":"Error: cannot get URL: Server returned nothing (no headers, no data)."}
I know the proxy and the server are communicating, I know they are the same version. I am able to have custom scripts fire on the proxy and use the aws role set for that proxy.
Would anyone have an idea on how to have "AWS by HTTP" make the request from one of the proxies or what I am doing wrong? Or maybe another approach to having multiple aws accounts monitored via "AWS by HTTP" on a single Zabbix instance (but maybe multiple proxies)?