# Amazon Managed Prometheus

### Description

This Amazon Managed Prometheus destination can be used to send metrics to an Amazon Managed Prometheus (AMP) workspace in AWS.

### Supported Types

| Metrics | Logs | Traces | Bindplane Collector |
| ------- | ---- | ------ | ------------------- |
| ✓       |      |        | `v1.41.0`+          |

### Prerequisites

Getting the Bindplane Collector authenticated and authorized with AWS requires completing the following steps. Before starting, make sure you are logged in to [AWS Console](https://aws.amazon.com/console/) and have permission to create users, create roles, and generate access tokens.

#### 1. Create an AWS User the exporter can use.

To start, head to the `Identity and Access Management (IAM)` service and under `Access management` navigate to `Users`. There should be an option to `Create user` on this page. This is the user the exporter and Bindplane Collector will be authenticated as, so name it appropriately. This new user will not need access to AWS Management Console, so leave this option unselected. For permissions, you don't need to specify any at this point since the user will be assuming a role with the required permissions. Once the user is created, navigate to its summary page and copy the ARN (we will need it in the next step).

#### 2. Create an AWS Role the exporter can assume.

Now we need to create an AWS Role the exporter will assume. This is what will allow the exporter/Bindplane Collector to send data to the AMP workspace. To do this, head to `IAM` and under `Access management` navigate to `Roles` and select `Create role`. Under the first step, `Select trusted entity`, we are defining which AWS resource will be allowed to use this role, which we want to be the user we created in the first step. Select `Custom trust policy`. We want to edit just the `Principal` JSON field to contain the ARN copied in the first step. It should look similar to this:

```json
"Principal": {
    "AWS": "arn:aws:iam::123456789:user/Bindplane"
}
```

The next step in creating the role is `Add permissions`. Search for "Prometheus" in the search bar and a number of permissions should show up. The exporter only needs `AmazonPrometheusRemoteWriteAccess`, so select that. In the next area, give the role an appropriate name and description and finish with `Create role`.

As an alternative to the AWS pre-defined `AmazonPrometheusRemoteWriteAccess` permission policy, you may also create your own permission policy. To read more, see this [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html). If taking this approach, be sure the exporter will still have write access to the desired AMP Workspace or the Bindplane Collector will fail.

#### 3. Give Bindplane Collector access keys.

Now that the Bindplane Collector will have access to the AMP workspace, it needs access keys so it can access AWS as the user that was created for it in step 1. Head back to `IAM` and `Users` and select the user created in step 1. Now select the `Security credentials` tab and find the `Access keys` section. For the first step of creating a key, select `Other` and continue to the next step. Provide an appropriate description and select `Create access key`. Make note of or download the `Access key` and `Secret access key` values as AWS won't show these again.

Now that the access keys have been created, we need to create environment variables for them on the same machine as the Bindplane Collector. The environment variables to add are `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, which correspond to the values retrieved early in this step.

You can modify the collector's environment variables by configuring a `systemd` override. Run `sudo systemctl edit observiq-otel-collector` and add the keys:

```
[Service]
Environment=AWS_ACCESS_KEY_ID=******
Environment=AWS_SECRET_ACCESS_KEY=******
```

When finished, reload Systemd.

```bash
sudo systemctl daemon-reload
```

Now the Bindplane Collector will be able to authenticate with AWS as the user that was created back in step 1.

For more information on specifying the AWS credentials for the Bindplane Collector, please see this [AWS documentation](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials). See this [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) for alternative ways of using AWS environment variables for you specific environment.

#### 4. Retrieve Amazon Managed Prometheus workspace endpoint.

The last pre-requisite step to configuring the Amazon Managed Prometheus destination is retrieving the remote write endpoint. If you haven't already created an Amazon Managed Prometheus workspace, search for "Amazon Prometheus" in the AWS console search bar and initialize one. With a workspace created, navigate to `All workspaces` inside of the Amazon Prometheus AWS service. Select the workspace you wish to send metrics to. On the summary page, copy the value for `Endpoint - remote write URL`. This is the endpoint you'll use when configuring the destination.

### Configuration

<table><thead><tr><th width="139.03515625">Field</th><th>Description</th></tr></thead><tbody><tr><td>Endpoint</td><td>The remote write endpoint to send metrics to the Amazon Managed Prometheus workspace. See this <a href="https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-onboard-create-workspace.html">AMP documentation</a> for more.</td></tr><tr><td>Region</td><td>The region the Amazon Managed Prometheus workspace is located in. One location it can be found is in the given endpoint. See this <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html">AMP documentation</a> for more.</td></tr><tr><td>AWS Role</td><td>The Amazon Resource Name (ARN) for the AWS role the exporter will assume. The role should have permission to write to Amazon Managed Prometheus. See this <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html">AMP documentation</a> for more.</td></tr><tr><td>STS Region</td><td>The region to use for assuming the <code>AWS Role</code>. Useful for cross region authentication (i.e. if the agent is located in a different region than the AMP workspace). See this <a href="https://docs.aws.amazon.com/general/latest/gr/sts.html">AMP documentation</a> for more.</td></tr><tr><td>Session Name</td><td>Optional name to give the session when the exporter assumes the <code>AWS Role</code>. Useful to differentiate sessions when multiple principals could assume the given role. See this <a href="https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters">AWS Documentation</a> for more.</td></tr><tr><td>Compression</td><td>Compression algorithm to use when sending data to Amazon Managed Prometheus.</td></tr><tr><td>Namespace</td><td>Prefix to attach to each metric name. See this <a href="https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels">Prometheus documentation</a> for more.</td></tr><tr><td>Max Batch Size</td><td>Maximum size, in bytes, for a batch of metrics to be sent to the AMP endpoint. If a batch is larger than this limit, it will be broken up into multiple batches.</td></tr><tr><td>Convert Attributes</td><td>Whether or not to convert all resource attributes to metric attributes.</td></tr><tr><td>Unit &#x26; Type Suffixes</td><td>Whether or not to attach the metric unit and metric type to the end of the metric name.</td></tr><tr><td>Created Metric</td><td>Whether or not a "_created" metric is exported for Summary, Histogram, and Monotonic Sum metric points when "StartTimeUnixNano" is set.</td></tr><tr><td>HTTP Headers</td><td>Additional headers to attach to each HTTP Request. The following headers cannot be changed: Content-Encoding, Content-Type, X-Prometheus-Remote-Write-Version, and User-Agent.</td></tr><tr><td>External Labels</td><td>Label names and values to be attached as metric attributes. See this <a href="https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels">Prometheus documentation</a> for more.</td></tr><tr><td>Enable TLS</td><td>Whether or not to use TLS.</td></tr><tr><td>Strict TLS Verify</td><td>Whether or not to use Strict TLS Certification Verification.</td></tr><tr><td>Certificate Authority File</td><td>Certificate authority used to validate TLS certificates. Not required if the collector's operating system already trusts the certificate authority.</td></tr><tr><td>Enable Mutual TLS</td><td>Whether ot not to use Mutual TLS.</td></tr><tr><td>Client Certification File</td><td>A TLS certificate used for client authentication, if Mutual TLS is enabled.</td></tr><tr><td>Client Private Key File</td><td>A TLS private key used for client authentication, if Mutual TLS is enabled.</td></tr><tr><td>Enable Remote Queue</td><td>Whether or not to enable a remote write queue. This helps balance outgoing results.</td></tr><tr><td>Remote Write Queue Size</td><td>The number of metrics that can be queued.</td></tr><tr><td>Remote Write Queue Consumers</td><td>The minimum number of workers to use to fan out the outgoing requests.</td></tr></tbody></table>

This destination supports the following [retry and queuing settings](https://docs.bindplane.com/configuration/bindplane-otel-collector/retry-on-failure):

| Sending Queue | Persistent Queue | Retry on Failure |
| ------------- | ---------------- | ---------------- |
|               |                  | ✓                |

### Example Configuration

Here we configure the destination to send to AMP by providing the endpoint, region, and arn. Some advanced configuration options we make use of include compression, namespace, max batch size, convert attributes, unit and type suffixes, created metric, and external labels by defining a label called "bp\_agent" with a value of "agent1". We also enable TLS, Strict TLS, and Mutual TLS and provide a certificate authority file, client certificate file, and client key file. We also have a remote write queue and Retry on Failure enabled with their respective default configurations.

**Web Interface**

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-1b90dd58d29f9d61b3b3f9f439d0488366c6e3d4%2Fintegrations-destinations-amazon-managed-prometheus-image-1.png?alt=media" alt="Bindplane docs - Amazon Managed Prometheus - image 1"><figcaption></figcaption></figure>

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-593a1d7cce481f3af346eec9dd9723c233016b76%2Fintegrations-destinations-amazon-managed-prometheus-image-2.png?alt=media" alt="Bindplane docs - Amazon Managed Prometheus - image 2"><figcaption></figcaption></figure>

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-61ec89d41863b8be97545221afb8d9ab76409197%2Fintegrations-destinations-amazon-managed-prometheus-image-3.png?alt=media" alt="Bindplane docs - Amazon Managed Prometheus - image 3"><figcaption></figcaption></figure>

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-0009198edbe2bc8b4bc191bab248fa3aa2fe9058%2Fintegrations-destinations-amazon-managed-prometheus-image-4.png?alt=media" alt="Bindplane docs - Amazon Managed Prometheus - image 4"><figcaption></figcaption></figure>

**Standalone Destination**

```yaml
apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
  id: aws_managed_prometheus
  name: aws_managed_prometheus
spec:
  type: aws_managed_prometheus
  parameters:
    - name: endpoint
      value: some_aws_amp_workspace_endpoint
    - name: region
      value: us-east-2
    - name: arn
      value: some_aws_role_arn
    - name: compression
      value: snappy
    - name: namespace
      value: bp_amp
    - name: max_batch_size_bytes
      value: 3000000
    - name: enable_resource_to_telemetry_conversion
      value: true
    - name: add_unit_and_type
      value: true
    - name: export_created_metric
      value: true
    - name: external_labels
      value:
        bp_agent: agent1
    - name: enable_tls
      value: true
    - name: strict_tls_verify
      value: true
    - name: ca_file
      value: some_ca_file
    - name: mutual_tls
      value: true
    - name: cert_file
      value: some_cert_file
    - name: key_file
      value: some_key_file
    - name: enable_remote_write_queue
      value: true
    - name: retry_on_failure_enabled
      value: true
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bindplane.com/integrations/destinations/amazon-managed-prometheus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.