Promtail EC2 permissions

What type of permissions to required, for the ACCESS_KEY and SECRET_KEY when setting up Promtail on EC2 machine?

Key / Role ARL will set on ec2_sd_config section of YML file

As per the doc to configure promtail on EC2, you need to do two things via aws CLI.

  1. Create EC2 instance
  2. Create IPv4 VPC and subnets

So your aws cli should have following IAM permission to do those actions.

  1. Creating EC2 instance

    • “ec2:RunInstances”
      You can follow the AWS doc for permissions policies related to EC2 here
  2. Create IPv4 VPC and subnets

  • “ec2:CreateVpc”,
  • “ec2:CreateSubnet”,
  • “ec2:DescribeAvailabilityZones”,
  • “ec2:CreateRouteTable”,
  • “ec2:CreateRoute”,
  • “ec2:CreateInternetGateway”,
  • “ec2:AttachInternetGateway”,
  • “ec2:AssociateRouteTable”,
  • “ec2:ModifyVpcAttribute”

You can follow the AWS doc for permissions policies related to VPC here

1 Like

Promtail doc - EC2 | Grafana Labs

Hi @kavikanagaraj ,

Thanks for the answer. Actually I want the permissions for the key which is using in ec2_sd_config section of promtail configuration (YML) file

Ah. sorry for the confusion. We also had discussion about this over the slack.

Looks like the correct permissions for the key using ec2_sd_config

"tag:GetResources",
"cloudwatch:ListTagsForResource",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeTargetGroups"