Cloud Experts Documentation

Using the AWS Cloud Watch agent to publish metrics to CloudWatch in ROSA

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

This document shows how you can use the AWS Cloud Watch agent to scrape Prometheus endpoints and publish metrics to CloudWatch in a Red Hat OpenShift Container Platform (ROSA) cluster.

It pulls from The AWS documentation for installing the CloudWatch agent to Kubernetes and collections and publishes metrics for the Kubernetes API Server and provides a simple Dashboard to view the results.

Currently the AWS Cloud Watch Agent does not supportexternal link (opens in new tab) pulling all metrics from the Prometheus federated endpoint, but the hope is that when it does we can ship all Cluster and User Workload metrics to CloudWatch.


  1. AWS CLIexternal link (opens in new tab)
  2. jqexternal link (opens in new tab)
  3. A ROSA Cluster

Prepare AWS Account

  1. Turn off AWS CLI Paging

    export AWS_PAGER=""
  2. Set some environment variables

    Change these to suit your environment.

    export CLUSTER_NAME=metrics
    export CLUSTER_REGION=us-east-2
    export SCRATCH_DIR=/tmp/scratch
    mkdir -p $SCRATCH_DIR
  3. Create an AWS IAM User for Cloud Watch

    aws iam create-user \
      --user-name $CLUSTER_NAME-cloud-watch \
      > $SCRATCH_DIR/aws-user.json
  4. Fetch Access and Secret Keys for IAM User

    aws iam create-access-key \
      --user-name $CLUSTER_NAME-cloud-watch \
      > $SCRATCH_DIR/aws-access-key.json
  5. Attach Policy to AWS IAM User

    aws iam attach-user-policy \
      --user-name $CLUSTER_NAME-cloud-watch \
      --policy-arn "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"

Deploy Cloud Watch Prometheus Agent

  1. Create a namespace for Cloud Watch

    oc create namespace amazon-cloudwatch
  2. Download the Cloud Watch Agent Kubernetes manifests

    wget -O $SCRATCH_DIR/cloud-watch.yaml
  3. Update the Cloud Watch Agent Kubernetes manifests

    sed -i .bak "s/__cluster_name__/$CLUSTER_NAME/g" $SCRATCH_DIR/cloud-watch.yaml
    sed -i .bak "s/__cluster_region__/$CLUSTER_REGION/g" $SCRATCH_DIR/cloud-watch.yaml
  4. Provide AWS Creds to the Cloud Watch Agent

    AWS_ID=`cat $SCRATCH_DIR/aws-access-key.json | jq -r '.AccessKey.AccessKeyId'`
    AWS_KEY=`cat $SCRATCH_DIR/aws-access-key.json | jq -r '.AccessKey.SecretAccessKey'`
    echo "[AmazonCloudWatchAgent]\naws_access_key_id = $AWS_ID\naws_secret_access_key = $AWS_KEY" \
      > $SCRATCH_DIR/credentials
    oc --namespace amazon-cloudwatch \
      create secret generic aws-credentials \
  5. Allow Cloud Watch Agent to run as Root user (inside the container)

    oc -n amazon-cloudwatch adm policy \
      add-scc-to-user anyuid -z cwagent-prometheus
  6. Apply the Cloud Watch Agent Kubernetes manifests

    oc apply -f $SCRATCH_DIR/cloud-watch.yaml
  7. Check the Pod is running

    oc get pods -n amazon-cloudwatch

    You should see:

    NAME                                  READY   STATUS    RESTARTS   AGE
    cwagent-prometheus-54cd498c9c-btmjm   1/1     Running   0          60m

Create Sample Dashboard

  1. Download the Sample Dashboard

    wget -O $SCRATCH_DIR/dashboard.json
  2. Update the Sample Dashboard

    sed -i .bak "s/__CLUSTER_NAME__/$CLUSTER_NAME/g" $SCRATCH_DIR/dashboard.json
    sed -i .bak "s/__REGION_NAME__/$CLUSTER_REGION/g" $SCRATCH_DIR/dashboard.json
  3. Browse to link (opens in new tab)

  4. Create a Dashboard, call it “Kubernetes API Server”

  5. Click Actions->View/edit source

  6. Paste the JSON contents from $SCRATCH_DIR/dashboard.json into the text area

  7. View the dashboard

    Example AWS Dashboard

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.