---
title: "discovery.aws | Grafana Alloy documentation"
description: "Learn about discovery.aws"
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# `discovery.aws`

`discovery.aws` lets you retrieve scrape targets from AWS services using a single, role-based configuration. Set `role` to choose which AWS service to discover: `ec2`, `ecs`, `elasticache`, `lightsail`, `msk`, or `rds`.

This unifies AWS service discovery under one component and is the way to discover Amazon ECS targets. It doesn’t replace [`discovery.ec2`](../discovery.ec2/) or [`discovery.lightsail`](../discovery.lightsail/), which remain available.

The IAM credentials used must grant the permissions the selected `role` requires to list resources, for example `ec2:DescribeInstances` for the `ec2` role or `ecs:ListClusters`, `ecs:ListServices`, and `ecs:ListTasks` for the `ecs` role.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.aws "<LABEL>" {
  role = "<ROLE>"
}
```

## Arguments

You can use the following arguments with `discovery.aws`:

Expand table

| Name                     | Type                | Description                                                                                                             | Default | Required |
|--------------------------|---------------------|-------------------------------------------------------------------------------------------------------------------------|---------|----------|
| `role`                   | `string`            | The AWS service to discover. One of `ec2`, `ecs`, `elasticache`, `lightsail`, `msk`, `rds`.                             |         | yes      |
| `access_key`             | `string`            | The AWS API key ID. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used.                                     |         | no       |
| `bearer_token_file`      | `string`            | File containing a bearer token to authenticate with.                                                                    |         | no       |
| `bearer_token`           | `secret`            | Bearer token to authenticate with.                                                                                      |         | no       |
| `clusters`               | `list(string)`      | Restrict discovery to these clusters. Only used with the `ecs`, `elasticache`, `msk`, and `rds` roles.                  |         | no       |
| `enable_http2`           | `bool`              | Whether HTTP2 is supported for requests.                                                                                | `true`  | no       |
| `endpoint`               | `string`            | Custom endpoint to be used.                                                                                             |         | no       |
| `external_id`            | `string`            | AWS External ID used when assuming `role_arn`.                                                                          |         | no       |
| `follow_redirects`       | `bool`              | Whether redirects returned by the server should be followed.                                                            | `true`  | no       |
| `http_headers`           | `map(list(secret))` | Custom HTTP headers to be sent along with each request. The map key is the header name.                                 |         | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying.                        |         | no       |
| `port`                   | `int`               | The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule. | `80`    | no       |
| `profile`                | `string`            | Named AWS profile used to connect to the API.                                                                           |         | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                                           |         | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                                                   | `false` | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                                                    |         | no       |
| `refresh_interval`       | `duration`          | Refresh interval to re-read the resource list.                                                                          | `"60s"` | no       |
| `region`                 | `string`            | The AWS region. If blank, the region from the instance metadata is used.                                                |         | no       |
| `request_concurrency`    | `int`               | Maximum number of concurrent AWS API requests. Only used with the `ecs`, `elasticache`, `msk`, and `rds` roles.         |         | no       |
| `role_arn`               | `string`            | AWS Role Amazon Resource Name (ARN), an alternative to using AWS API keys.                                              |         | no       |
| `secret_key`             | `string`            | The AWS API key secret. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used.                             |         | no       |

The `clusters` and `request_concurrency` arguments only apply to the `ecs`, `elasticache`, `msk`, and `rds` roles. When `request_concurrency` isn’t set, it defaults to `20` for the `ecs` role and `10` for the `elasticache`, `msk`, and `rds` roles. The \[`filter`]\[filter] block only applies to the `ec2` role.

At most, one of the following can be provided:

- \[`authorization`]\[authorization] block
- \[`basic_auth`]\[basic\_auth] block
- [`bearer_token_file`](#arguments) argument
- [`bearer_token`](#arguments) argument
- \[`oauth2`]\[oauth2] block

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

## Blocks

You can use the following blocks with `discovery.aws`:

No valid configuration blocks found.

### `authorization`

The `authorization` block configures generic authorization to the endpoint.

Expand table

| Name               | Type     | Description                                | Default | Required |
|--------------------|----------|--------------------------------------------|---------|----------|
| `credentials_file` | `string` | File containing the secret value.          |         | no       |
| `credentials`      | `secret` | Secret value.                              |         | no       |
| `type`             | `string` | Authorization type, for example, “Bearer”. |         | no       |

`credential` and `credentials_file` are mutually exclusive, and only one can be provided inside an `authorization` block.

> Warning
> 
> Using `credentials_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `credentials` attribute instead to avoid unnecessary reads.

### `basic_auth`

The `basic_auth` block configures basic authentication to the endpoint.

Expand table

| Name            | Type     | Description                              | Default | Required |
|-----------------|----------|------------------------------------------|---------|----------|
| `password_file` | `string` | File containing the basic auth password. |         | no       |
| `password`      | `secret` | Basic auth password.                     |         | no       |
| `username`      | `string` | Basic auth username.                     |         | no       |

`password` and `password_file` are mutually exclusive, and only one can be provided inside a `basic_auth` block.

> Warning
> 
> Using `password_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `password` attribute instead to avoid unnecessary reads.

### `filter`

The `filter` block filters the EC2 instance list by other criteria. It only applies to the `ec2` role. Refer to the [Amazon EC2 documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) for more information about filters.

Expand table

| Name     | Type           | Description                   | Default | Required |
|----------|----------------|-------------------------------|---------|----------|
| `name`   | `string`       | Filter name to use.           |         | yes      |
| `values` | `list(string)` | Values to pass to the filter. |         | yes      |

Refer to the [Filter API AWS EC2 documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Filter.html) for the list of supported filters and their descriptions.

### `oauth2`

The `oauth2` block configures OAuth 2.0 authentication to the endpoint.

Expand table

| Name                     | Type                | Description                                                                                      | Default | Required |
|--------------------------|---------------------|--------------------------------------------------------------------------------------------------|---------|----------|
| `client_id`              | `string`            | OAuth2 client ID.                                                                                |         | no       |
| `client_secret_file`     | `string`            | File containing the OAuth2 client secret.                                                        |         | no       |
| `client_secret`          | `secret`            | OAuth2 client secret.                                                                            |         | no       |
| `endpoint_params`        | `map(string)`       | Optional parameters to append to the token URL.                                                  |         | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |         | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |         | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false` | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |         | no       |
| `scopes`                 | `list(string)`      | List of scopes to authenticate with.                                                             |         | no       |
| `token_url`              | `string`            | URL to fetch the token from.                                                                     |         | no       |

`client_secret` and `client_secret_file` are mutually exclusive, and only one can be provided inside an `oauth2` block.

> Warning
> 
> Using `client_secret_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `client_secret` attribute instead to avoid unnecessary reads.

The `oauth2` block may also contain a separate `tls_config` sub-block.

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

### `tls_config`

The `tls_config` block configures TLS settings for connecting to the endpoint.

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

> Caution
> 
> If you set `insecure_skip_verify` to `true`, you disable verification of the server’s certificate chain and hostname. Alloy accepts any certificate the server presents, including expired, self-signed, or invalid certificates.
> 
> You can use `insecure_skip_verify` for local development, self-signed certificates, or endpoints that use a private CA outside the system trust store. If the hostname doesn’t match the certificate, set `server_name` instead of `insecure_skip_verify`. In production, use `ca_file` or `ca_pem` to trust a private CA instead of `insecure_skip_verify`.
> 
> Set `insecure_skip_verify` to `true` only in isolated development or testing environments where you don’t transmit sensitive data. Remove the setting before you deploy to production.

## Exported fields

The following fields are exported and can be referenced by other components:

Expand table

| Name      | Type                | Description                        |
|-----------|---------------------|------------------------------------|
| `targets` | `list(map(string))` | The set of discovered AWS targets. |

The labels attached to each target depend on the `role`.

### `ec2`

- `__meta_ec2_ami`: The EC2 Amazon Machine Image.
- `__meta_ec2_architecture`: The architecture of the instance.
- `__meta_ec2_availability_zone_id`: The availability zone ID in which the instance is running. Requires `ec2:DescribeAvailabilityZones`.
- `__meta_ec2_availability_zone`: The availability zone in which the instance is running.
- `__meta_ec2_instance_id`: The EC2 instance ID.
- `__meta_ec2_instance_lifecycle`: The lifecycle of the EC2 instance, set only for ‘spot’ or ‘scheduled’ instances, absent otherwise.
- `__meta_ec2_instance_state`: The state of the EC2 instance.
- `__meta_ec2_instance_type`: The type of the EC2 instance.
- `__meta_ec2_ipv6_addresses`: Comma-separated list of IPv6 addresses assigned to the instance’s network interfaces, if present.
- `__meta_ec2_owner_id`: The ID of the AWS account that owns the EC2 instance.
- `__meta_ec2_platform`: The Operating System platform, set to ‘windows’ on Windows servers, absent otherwise.
- `__meta_ec2_primary_ipv6_addresses`: Comma separated list of the Primary IPv6 addresses of the instance, if present. The list is ordered based on the position of each corresponding network interface in the attachment order.
- `__meta_ec2_primary_subnet_id`: The subnet ID of the primary network interface, if available.
- `__meta_ec2_private_dns_name`: The private DNS name of the instance, if available.
- `__meta_ec2_private_ip`: The private IP address of the instance, if present.
- `__meta_ec2_public_dns_name`: The public DNS name of the instance, if available.
- `__meta_ec2_public_ip`: The public IP address of the instance, if available.
- `__meta_ec2_region`: The region of the instance.
- `__meta_ec2_subnet_id`: Comma-separated list of subnets IDs in which the instance is running, if available.
- `__meta_ec2_tag_<tagkey>`: Each tag value of the instance.
- `__meta_ec2_vpc_id`: The ID of the VPC in which the instance is running, if available.

### `lightsail`

- `__meta_lightsail_availability_zone`: The availability zone in which the instance is running.
- `__meta_lightsail_blueprint_id`: The Lightsail blueprint ID.
- `__meta_lightsail_bundle_id`: The Lightsail bundle ID.
- `__meta_lightsail_instance_name`: The name of the Lightsail instance.
- `__meta_lightsail_instance_state`: The state of the Lightsail instance.
- `__meta_lightsail_instance_support_code`: The support code of the Lightsail instance.
- `__meta_lightsail_private_ip`: The private IP address of the instance.
- `__meta_lightsail_public_ip`: The public IP address of the instance, if available.
- `__meta_lightsail_region`: The region of the instance.
- `__meta_lightsail_tag_<tagkey>`: Each tag value of the instance.

### `ecs`

- `__meta_ecs_availability_zone`: The availability zone of the task.
- `__meta_ecs_cluster`: The name of the ECS cluster.
- `__meta_ecs_cluster_arn`: The ARN of the ECS cluster.
- `__meta_ecs_container_instance_arn`: The ARN of the container instance the task runs on, if available.
- `__meta_ecs_desired_status`: The desired status of the task.
- `__meta_ecs_ec2_instance_id`: The ID of the backing EC2 instance, if available.
- `__meta_ecs_ec2_instance_private_ip`: The private IP of the backing EC2 instance, if available.
- `__meta_ecs_ec2_instance_public_ip`: The public IP of the backing EC2 instance, if available.
- `__meta_ecs_ec2_instance_type`: The type of the backing EC2 instance, if available.
- `__meta_ecs_health_status`: The health status of the task.
- `__meta_ecs_ip_address`: The IP address of the task.
- `__meta_ecs_last_status`: The last known status of the task.
- `__meta_ecs_launch_type`: The launch type of the task, for example `EC2` or `FARGATE`.
- `__meta_ecs_network_mode`: The network mode of the task.
- `__meta_ecs_platform_family`: The platform family of the task.
- `__meta_ecs_platform_version`: The platform version of the task.
- `__meta_ecs_public_ip`: The public IP of the task, if available.
- `__meta_ecs_region`: The region of the task.
- `__meta_ecs_service`: The name of the ECS service.
- `__meta_ecs_service_arn`: The ARN of the ECS service.
- `__meta_ecs_service_status`: The status of the ECS service.
- `__meta_ecs_subnet_id`: The subnet ID of the task, if available.
- `__meta_ecs_tag_<tagkey>`: Each tag value on the task, service, cluster, or backing EC2 instance, prefixed by the resource it belongs to.
- `__meta_ecs_task_arn`: The ARN of the task.
- `__meta_ecs_task_definition`: The task definition of the task.
- `__meta_ecs_task_group`: The task group of the task.

### `elasticache`, `msk`, and `rds`

These roles attach labels under the `__meta_elasticache_`, `__meta_msk_`, and `__meta_rds_` prefixes respectively, describing the discovered cluster, node, instance, and tag attributes. Refer to the [Prometheus `aws_sd_config` documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#aws_sd_config) for the current set of labels for these roles.

## Component health

`discovery.aws` is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

## Debug information

`discovery.aws` doesn’t expose any component-specific debug information.

## Debug metrics

`discovery.aws` doesn’t expose any component-specific debug metrics.

## Example

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.aws "ecs" {
  role   = "ecs"
  region = "us-east-1"
}

prometheus.scrape "demo" {
  targets    = discovery.aws.ecs.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

## Compatible components

`discovery.aws` has exports that can be consumed by the following components:

- Components that consume [Targets](../../../compatibility/#targets-consumers)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.
