Step 3: Install the Collector
Installing the collector with Amazon EKS
You can install the Helm chart for the pganalyze collector on your Amazon EKS cluster.
Prerequisites
- You already have an Amazon EKS cluster
kubectl
is installedeksctl
is installed and a kubeconfig file for an Amazon EKS cluster is createdThe Helm CLI
v3 or above is installed
Set up IAM policy
You need to set up an IAM policy for the instance where the collector will run, so that the collector can access RDS information.
Save the following policy JSON to a file named pganalyze_collector_policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
},
{
"Action": [
"rds:DescribeDBParameters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:pg:*"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:db:*"
},
{
"Action": [
"rds:DescribeDBClusters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:cluster:*"
}
]
}
Now, create a new IAM policy named pganalyze using the saved JSON file:
aws iam create-policy \
--policy-name pganalyze \
--policy-document file://pganalyze_collector_policy.json \
--description "Allow the pganalyze collector to access RDS information"
This policy grants the following access:
- RDS metadata used to discover general instance information
- Cloudwatch metrics to show CPU utilization and other system metrics in pganalyze
- RDS log file download (for pganalyze Log Insights)
To learn more about each access, see Amazon RDS and Aurora: IAM Policy.
Create IAM role
Note: Creating an IAM role currently requires using IAM roles for service accounts (IRSA). Creating an IAM role with Amazon EKS Pod Identity is not supported yet.
With this step, you are going to create a new IAM role and associate that role with the service account using IAM roles for service accounts (IRSA).
If you haven't set up an OIDC identity provider for your EKS cluster, set it up as follows:
eksctl utils associate-iam-oidc-provider \
--region <region> --cluster mycluster --approve
Create an IAM role that will be assumed by the Kubernetes service account. The
following command will create a role named pganalyzeServiceAccountRole
.
aws iam create-role --role-name pganalyzeServiceAccountRole \
--description "For pganalyze collector service account" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<aws-account-id>:oidc-provider/oidc.eks.<region>.amazonaws.com/id/<OIDC_PROVIDER_ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<region>.amazonaws.com/id/<OIDC_PROVIDER_ID>:sub": "system:serviceaccount:<namespace>:pganalyze-service-account"
}
}
}
]
}'
Replace OIDC_PROVIDER_ID
with the one created above. You can find it using the
following command:
aws eks describe-cluster \
--name mycluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5
Attach the policy you created earlier to the created account. Below assumes that
the policy name is pganalyze
:
aws iam attach-role-policy --role-name pganalyzeServiceAccountRole \
--policy-arn arn:aws:iam::<aws-account-id>:policy/pganalyze
Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →