Hello Team,
In our environment, we have multiple AWS accounts, and all are in private networks.
On account A, I have a zabbix proxy server
On account B, I have a RDS server
I am trying to implement the AWS RDS instance by HTTP template using role_base option to gather the RDS and cloudwatch data.
When I use on the same account with role_base the data is retrieved successfully; however, it is not working for cross-account.
What I followed from my end.
AWS RDS monitoring and integration with Zabbix
1) created a role and added a policy as per the link on account B.
2) Created a policy and implemented it in account A.
3) Both account services have enough permission to access each service.
4) However, there is no data fetched from the template. I would like to know how the Java script generates the tempaccess key and security key. (The template contains the Java script to retrieve the rds data.).
5) If I use the key-based method, it is retrieving the data. However, we do not want to use this method due to the security policy.
6) account A details
Rolename: zabbix-rds-crossaccount
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::accountB:role/cw-rds-cross-fb-account"
}
]
}
readonly access for RDS and clodwatch policies
7) account B details
Rolename: cw-rds-cross-fb-account
Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountA:role/zabbix-rds-crossaccount"
},
"Action": "sts:AssumeRole"
}
]
}
readonly access for RDS and clodwatch policies
Error:
390131:20250121:141300.918 [ AWS RDS ] ERROR: Request failed with status code 403: {"Error":{"Code":"AccessDenied","Message":"User: arn:aws:sts::accountA:assumed-role/zabbix-rds-crossaccount/i-instanceis not authorized to perform: cloudwatch
escribeAlarms on resource: arn:aws:cloudwatch:ap-south-1:accountA:alarm:* because no identity-based policy allows the cloudwatchescribeAlarms action","Type":"Sender"},"RequestId":"76f825fe-9225-48c5-aecc-884f92142d6e"}.
390133:20250121:105011.628 [ AWS RDS ] ERROR: Request failed with status code 404: {"Error":{"Code":"DBInstanceNotFound","Message":"DBIn stan ce rds-name not found.","Type":"Sender"},"RequestId":"f08256e8-3fe8-4d8c-a31d-289d372193c0"}.
In our environment, we have multiple AWS accounts, and all are in private networks.
On account A, I have a zabbix proxy server
On account B, I have a RDS server
I am trying to implement the AWS RDS instance by HTTP template using role_base option to gather the RDS and cloudwatch data.
When I use on the same account with role_base the data is retrieved successfully; however, it is not working for cross-account.
What I followed from my end.
AWS RDS monitoring and integration with Zabbix
1) created a role and added a policy as per the link on account B.
2) Created a policy and implemented it in account A.
3) Both account services have enough permission to access each service.
4) However, there is no data fetched from the template. I would like to know how the Java script generates the tempaccess key and security key. (The template contains the Java script to retrieve the rds data.).
5) If I use the key-based method, it is retrieving the data. However, we do not want to use this method due to the security policy.
6) account A details
Rolename: zabbix-rds-crossaccount
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::accountB:role/cw-rds-cross-fb-account"
}
]
}
readonly access for RDS and clodwatch policies
7) account B details
Rolename: cw-rds-cross-fb-account
Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountA:role/zabbix-rds-crossaccount"
},
"Action": "sts:AssumeRole"
}
]
}
readonly access for RDS and clodwatch policies
Error:
390131:20250121:141300.918 [ AWS RDS ] ERROR: Request failed with status code 403: {"Error":{"Code":"AccessDenied","Message":"User: arn:aws:sts::accountA:assumed-role/zabbix-rds-crossaccount/i-instanceis not authorized to perform: cloudwatch
escribeAlarms on resource: arn:aws:cloudwatch:ap-south-1:accountA:alarm:* because no identity-based policy allows the cloudwatchescribeAlarms action","Type":"Sender"},"RequestId":"76f825fe-9225-48c5-aecc-884f92142d6e"}.390133:20250121:105011.628 [ AWS RDS ] ERROR: Request failed with status code 404: {"Error":{"Code":"DBInstanceNotFound","Message":"DBIn stan ce rds-name not found.","Type":"Sender"},"RequestId":"f08256e8-3fe8-4d8c-a31d-289d372193c0"}.