Step 3: Set Up IAM Policy
Almost done! 🎉
We now need to set up an IAM policy and user that the collector can use to access RDS information.
To start, go to Create IAM policy, select JSON and then paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:RDSOSMetrics:log-stream:*"
},
{
"Action": [
"rds:DescribeDBParameters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:pg:*"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DownloadDBLogFilePortion",
"rds:DescribeDBLogFiles"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:db:*"
},
{
"Action": [
"rds:DescribeDBClusters"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:*:*:cluster:*"
}
]
}This policy grants the following access:
- RDS metadata used to discover general instance information
- Cloudwatch metrics to show CPU utilization and other system metrics in pganalyze
- RDS log file download (for pganalyze Log Insights)
We recommend naming the policy "pganalyze" or similar, so you can easily identify it again.
Create IAM Role
To complete this step, create an IAM role for pganalyze, and assign the policy to this new role.
In the next step we'll download and run the pganalyze collector software to one of your EC2 instances:
Proceed to Step 4: Install the Collector on an EC2 InstanceCouldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →