Step 3: Install the Collector
Installing the collector with Amazon EKS
You can install the Helm chart for the pganalyze collector on your Amazon EKS cluster.
Prerequisites
- You already have an Amazon EKS cluster
kubectlis installedeksctlis installed and a kubeconfig file for an Amazon EKS cluster is createdThe Helm CLIv3 or above is installed
Set up IAM policy
You need to set up an IAM policy for the instance where the collector will run, so that the collector can access RDS information.
Save the following policy JSON to a file named pganalyze_collector_policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
},
{
"Action": [
"rds:DescribeDBParameters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:pg:*"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:db:*"
},
{
"Action": [
"rds:DescribeDBClusters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:cluster:*"
}
]
}Now, create a new IAM policy named pganalyze using the saved JSON file:
aws iam create-policy \
--policy-name pganalyze \
--policy-document file://pganalyze_collector_policy.json \
--description "Allow the pganalyze collector to access RDS information"Go to Create IAM policy, select JSON and then paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
},
{
"Action": [
"rds:DescribeDBParameters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:pg:*"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:db:*"
},
{
"Action": [
"rds:DescribeDBClusters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:cluster:*"
}
]
}We recommend naming the policy “pganalyze” or similar, so you can easily identify it again.
This policy grants the following access:
- RDS metadata used to discover general instance information
- Cloudwatch metrics to show CPU utilization and other system metrics in pganalyze
- RDS log file download (for pganalyze Log Insights)
To learn more about each access, see Amazon RDS and Aurora: IAM Policy.
Create IAM role
With this step, you are going to create a new IAM role and associate that role with the service account using Amazon EKS Pod Identity.
Note: This requires the pganalyze collector version 0.58.0 and above.
If you haven’t installed Amazon EKS Pod Identity Agent add-on, install it with this command:
aws eks create-addon --cluster-name mycluster \
--addon-name eks-pod-identity-agentCreate an IAM role that will be mapped with the Kubernetes service account. The
following command will create a role named pganalyzeServiceAccountRole.
aws iam create-role --role-name pganalyzeServiceAccountRole \
--description "For pganalyze collector service account" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}'Attach the policy you created earlier to the created account. The command below
assumes that the policy name is pganalyze:
aws iam attach-role-policy --role-name pganalyzeServiceAccountRole \
--policy-arn arn:aws:iam::<aws-account-id>:policy/pganalyzeCreate Pod Identity association using the role just created:
aws eks create-pod-identity-association \
--cluster-name mycluster \
--namespace default \
--service-account pganalyze-service-account \
--role-arn arn:aws:iam::<aws-account-id>:role/pganalyzeServiceAccountRoleWith this step, you are going to create a new IAM role and associate that role with the service account using IAM roles for service accounts (IRSA).
If you haven’t set up an OIDC identity provider for your EKS cluster, set it up as follows:
eksctl utils associate-iam-oidc-provider \
--region <region> --cluster mycluster --approveCreate an IAM role that will be assumed by the Kubernetes service account. The
following command will create a role named pganalyzeServiceAccountRole.
aws iam create-role --role-name pganalyzeServiceAccountRole \
--description "For pganalyze collector service account" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<aws-account-id>:oidc-provider/oidc.eks.<region>.amazonaws.com/id/<OIDC_PROVIDER_ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<region>.amazonaws.com/id/<OIDC_PROVIDER_ID>:sub": "system:serviceaccount:<namespace>:pganalyze-service-account"
}
}
}
]
}'Replace OIDC_PROVIDER_ID with the one created above. You can find it using the
following command:
aws eks describe-cluster \
--name mycluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5Attach the policy you created earlier to the created account. Below assumes that
the policy name is pganalyze:
aws iam attach-role-policy --role-name pganalyzeServiceAccountRole \
--policy-arn arn:aws:iam::<aws-account-id>:policy/pganalyzeProceed to Step 4: Configure the Collector
Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →