Step 3: Install the Collector

Installing the collector with Amazon EKS

You can install the Helm chart for the pganalyze collector on your Amazon EKS cluster.

Prerequisites

You already have an Amazon EKS cluster
kubectl is installed
eksctl is installed and a kubeconfig file for an Amazon EKS cluster is created
The Helm CLI v3 or above is installed

Set up IAM policy

You need to set up an IAM policy for the instance where the collector will run, so that the collector can access RDS information.

CLI
console

Save the following policy JSON to a file named pganalyze_collector_policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:GetMetricStatistics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
        },
        {
            "Action": [
                "rds:DescribeDBParameters"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:rds:*:*:pg:*"
        },
        {
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DownloadDBLogFilePortion",
                "rds:DescribeDBLogFiles"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:rds:*:*:db:*"
        },
        {
            "Action": [
                "rds:DescribeDBClusters"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:rds:*:*:cluster:*"
        }
    ]
}

Now, create a new IAM policy named pganalyze using the saved JSON file:

aws iam create-policy \
    --policy-name pganalyze \
    --policy-document file://pganalyze_collector_policy.json \
    --description "Allow the pganalyze collector to access RDS information"

This policy grants the following access:

RDS metadata used to discover general instance information
Cloudwatch metrics to show CPU utilization and other system metrics in pganalyze
RDS log file download (for pganalyze Log Insights)

To learn more about each access, see Amazon RDS and Aurora: IAM Policy.

With this step, you are going to create a new IAM role and associate that role with the service account using Amazon EKS Pod Identity.

Note: This requires the pganalyze collector version 0.58.0 and above.

If you haven't installed Amazon EKS Pod Identity Agent add-on, install it with this command:

aws eks create-addon --cluster-name mycluster \
  --addon-name eks-pod-identity-agent

Create an IAM role that will be mapped with the Kubernetes service account. The following command will create a role named pganalyzeServiceAccountRole.

aws iam create-role --role-name pganalyzeServiceAccountRole \
  --description "For pganalyze collector service account" \
  --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
          "Service": "pods.eks.amazonaws.com"
      },
      "Action": [
          "sts:AssumeRole",
          "sts:TagSession"
      ]
    }
  ]
}'

Attach the policy you created earlier to the created account. The command below assumes that the policy name is pganalyze:

aws iam attach-role-policy --role-name pganalyzeServiceAccountRole \
  --policy-arn arn:aws:iam::<aws-account-id>:policy/pganalyze

Create Pod Identity association using the role just created:

aws eks create-pod-identity-association \
  --cluster-name mycluster \
  --namespace default \
  --service-account pganalyze-service-account \
  --role-arn arn:aws:iam::<aws-account-id>:role/pganalyzeServiceAccountRole

Proceed to Step 4: Configure the Collector

Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →