Cannot sent metrics to AWS Managed Prometheus

daaho · October 24, 2023, 12:35pm

We try to use Grafana Agent Flow with AWS Managed Prometheus from a Kubernetes cluster which runs directly on a EC2 instance in the same AWS account.

For that, we created an AMP workspace and configured Grafana Agent Flow to send metrics to AMP:

    prometheus.remote_write "mimir" {
      endpoint {
        url = "https://aps-workspaces.eu-central-1.amazonaws.com/workspaces/ws-....1/api/v1/remote_write"
        headers = {"X-Scope-OrgID" = "clustername1"}
        sigv4 {
          region = "eu-central-1"
          access_key = "AKIAxxxxxxxxxxxxxxxxxXP"
          secret_key = "b...........................................................9"          } 
      }
    }

Grafana Agent Flow: 0.37.2
All EC2 nodes has the policy AmazonPrometheusRemoteWriteAccess applied.

The error message is:

server returned HTTP status 403 Forbidden: {\"message\":\"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method.

Do we miss something ? E.g. is a sigv4-proxy needed, or is this already integrated in GAF 0.37.2

jangaraj · October 24, 2023, 1:47pm

I don’t understand why you need access/secret key, when you already have EC2 instance profile with AmazonPrometheusRemoteWriteAccess.

daaho · October 24, 2023, 2:44pm

It was a try because without the ACCESSKEY/SECRETKEY I also get an error message

jangaraj · October 24, 2023, 3:28pm

Off topic: I used OTEL collector to send metric to AMP in the past and it was working fine. It may be usefull for you to switch to ADOT if you don’t need to be dependant on GA, so you will be fully AWS compatible/supported.

daaho · October 25, 2023, 12:33pm

I found the problem

The reason was the additional and not necessary line:
headers = {“X-Scope-OrgID” = “clustername1”}

This configuration was used for Mimir as a backend and does not work for “AWS Managed Prometheus”

This minimal configuration is working:

prometheus.remote_write "mimir" {
      endpoint {
        url = "https://aps-workspaces.eu-central-1.amazonaws.com/workspaces/ws-....1/api/v1/remote_write"
        sigv4 {
          region = "eu-central-1"
        }
      }
    }

Topic		Replies	Views
Unable to send K6 Metrics to AWS Managed Prometheus Grafana k6 grafana , promethues	1	58	July 18, 2025
Connect AWS Prometheus to Grafana Cloud Grafana Cloud	4	1747	April 12, 2022
How to add aws managed prometheus as a datasource in grafana Prometheus	2	2557	December 21, 2022
Unable to get Recorded Queries setup to an Amazon Managed Service for Prometheus Remote Write endpoint Prometheus config-help	0	352	October 2, 2023
Having issue while quering aws endpoint URL Prometheus api	1	1937	April 5, 2022

Cannot sent metrics to AWS Managed Prometheus

Related topics