Step 3: Install the Collector

Installing the collector with Amazon ECS

We will launch this container as a single persistent task using an ECS service, with secrets stored in SSM parameters.

Set up IAM policy

You need to set up an IAM policy for the instance where the collector will run, so that the collector can access RDS information.

Save the following policy JSON to a file named pganalyze_collector_policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:GetMetricStatistics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
        },
        {
            "Action": [
                "rds:DescribeDBParameters"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:rds:*:*:pg:*"
        },
        {
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DownloadDBLogFilePortion",
                "rds:DescribeDBLogFiles"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:rds:*:*:db:*"
        },
        {
            "Action": [
                "rds:DescribeDBClusters"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:rds:*:*:cluster:*"
        }
    ]
}

Now, create a new IAM policy named pganalyze using the saved JSON file:

aws iam create-policy \
    --policy-name pganalyze \
    --policy-document file://pganalyze_collector_policy.json \
    --description "Allow the pganalyze collector to access RDS information"

This policy grants the following access:

  • RDS metadata used to discover general instance information
  • Cloudwatch metrics to show CPU utilization and other system metrics in pganalyze
  • RDS log file download (for pganalyze Log Insights)

To learn more about each access, see Amazon RDS and Aurora: IAM Policy.

Create IAM role

We'll need a special IAM role to run the container with. The following commands will create an appropriate role. This assumes you are using your account's default KMS key for accessing SSM parameters.

aws iam create-role --role-name pganalyzeTaskRole \
  --description "pganalyze collector ECS tasks" \
  --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'

aws iam attach-role-policy --role-name pganalyzeTaskRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

aws iam put-role-policy --role-name pganalyzeTaskRole \
  --policy-name GetSSMPganalyzeParameters \
  --policy-document '{"Statement":[{"Action": ["ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath"], "Effect": "Allow", "Resource": "arn:aws:ssm:*:*:parameter/pganalyze/*"}, {"Action": "kms:Decrypt", "Effect": "Allow", "Resource": "arn:aws:kms:*:*:*"}]}'

aws iam attach-role-policy --role-name pganalyzeTaskRole \
  --policy-arn arn:aws:iam::YOURAWSACCOUNTID:policy/POLICYNAME

Make sure to replace arn:aws:iam::YOURAWSACCOUNTID:policy/POLICYNAME with the correct policy ARN you created earlier.

Important: For more complex scenarios you might want to restrict the kms:Decrypt permission in the policy statement above to a specific key.

Proceed to Step 4: Configure the Collector

Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →