This is documentation for the next version of Grafana Alloy Documentation. For the latest stable release, go to the latest version.
discovery.aws
discovery.aws lets you retrieve scrape targets from AWS services using a single, role-based configuration.
Set role to choose which AWS service to discover: ec2, ecs, elasticache, lightsail, msk, or rds.
This unifies AWS service discovery under one component and is the way to discover Amazon ECS targets.
It doesn’t replace discovery.ec2 or discovery.lightsail, which remain available.
The IAM credentials used must grant the permissions the selected role requires to list resources, for example ec2:DescribeInstances for the ec2 role or ecs:ListClusters, ecs:ListServices, and ecs:ListTasks for the ecs role.
Usage
discovery.aws "<LABEL>" {
role = "<ROLE>"
}Arguments
You can use the following arguments with discovery.aws:
The clusters and request_concurrency arguments only apply to the ecs, elasticache, msk, and rds roles.
When request_concurrency isn’t set, it defaults to 20 for the ecs role and 10 for the elasticache, msk, and rds roles.
The [filter][filter] block only applies to the ec2 role.
At most, one of the following can be provided:
- [
authorization][authorization] block - [
basic_auth][basic_auth] block bearer_token_fileargumentbearer_tokenargument- [
oauth2][oauth2] block
no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers.
proxy_url must be configured if no_proxy is configured.
proxy_from_environment uses the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof).
Requests use the proxy from the environment variable matching their scheme, unless excluded by NO_PROXY.
proxy_url and no_proxy must not be configured if proxy_from_environment is configured.
proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.
Blocks
You can use the following blocks with discovery.aws:
No valid configuration blocks found.
authorization
The authorization block configures generic authorization to the endpoint.
credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.
Warning
Using
credentials_filecauses the file to be read on every outgoing request. Use thelocal.filecomponent with thecredentialsattribute instead to avoid unnecessary reads.
basic_auth
The basic_auth block configures basic authentication to the endpoint.
password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.
Warning
Using
password_filecauses the file to be read on every outgoing request. Use thelocal.filecomponent with thepasswordattribute instead to avoid unnecessary reads.
filter
The filter block filters the EC2 instance list by other criteria. It only applies to the ec2 role.
Refer to the Amazon EC2 documentation for more information about filters.
Refer to the Filter API AWS EC2 documentation for the list of supported filters and their descriptions.
oauth2
The oauth2 block configures OAuth 2.0 authentication to the endpoint.
client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.
Warning
Using
client_secret_filecauses the file to be read on every outgoing request. Use thelocal.filecomponent with theclient_secretattribute instead to avoid unnecessary reads.
The oauth2 block may also contain a separate tls_config sub-block.
no_proxy can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers.
proxy_url must be configured if no_proxy is configured.
proxy_from_environment uses the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof).
Requests use the proxy from the environment variable matching their scheme, unless excluded by NO_PROXY.
proxy_url and no_proxy must not be configured if proxy_from_environment is configured.
proxy_connect_header should only be configured if proxy_url or proxy_from_environment are configured.
tls_config
The tls_config block configures TLS settings for connecting to the endpoint.
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pemandca_filecert_pemandcert_filekey_pemandkey_file
When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.
When min_version isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2.
If min_version is provided, it must be set to one of the following strings:
"TLS10"(TLS 1.0)"TLS11"(TLS 1.1)"TLS12"(TLS 1.2)"TLS13"(TLS 1.3)
Caution
If you set
insecure_skip_verifytotrue, you disable verification of the server’s certificate chain and hostname. Alloy accepts any certificate the server presents, including expired, self-signed, or invalid certificates.You can use
insecure_skip_verifyfor local development, self-signed certificates, or endpoints that use a private CA outside the system trust store. If the hostname doesn’t match the certificate, setserver_nameinstead ofinsecure_skip_verify. In production, useca_fileorca_pemto trust a private CA instead ofinsecure_skip_verify.Set
insecure_skip_verifytotrueonly in isolated development or testing environments where you don’t transmit sensitive data. Remove the setting before you deploy to production.
Exported fields
The following fields are exported and can be referenced by other components:
The labels attached to each target depend on the role.
ec2
__meta_ec2_ami: The EC2 Amazon Machine Image.__meta_ec2_architecture: The architecture of the instance.__meta_ec2_availability_zone_id: The availability zone ID in which the instance is running. Requiresec2:DescribeAvailabilityZones.__meta_ec2_availability_zone: The availability zone in which the instance is running.__meta_ec2_instance_id: The EC2 instance ID.__meta_ec2_instance_lifecycle: The lifecycle of the EC2 instance, set only for ‘spot’ or ‘scheduled’ instances, absent otherwise.__meta_ec2_instance_state: The state of the EC2 instance.__meta_ec2_instance_type: The type of the EC2 instance.__meta_ec2_ipv6_addresses: Comma-separated list of IPv6 addresses assigned to the instance’s network interfaces, if present.__meta_ec2_owner_id: The ID of the AWS account that owns the EC2 instance.__meta_ec2_platform: The Operating System platform, set to ‘windows’ on Windows servers, absent otherwise.__meta_ec2_primary_ipv6_addresses: Comma separated list of the Primary IPv6 addresses of the instance, if present. The list is ordered based on the position of each corresponding network interface in the attachment order.__meta_ec2_primary_subnet_id: The subnet ID of the primary network interface, if available.__meta_ec2_private_dns_name: The private DNS name of the instance, if available.__meta_ec2_private_ip: The private IP address of the instance, if present.__meta_ec2_public_dns_name: The public DNS name of the instance, if available.__meta_ec2_public_ip: The public IP address of the instance, if available.__meta_ec2_region: The region of the instance.__meta_ec2_subnet_id: Comma-separated list of subnets IDs in which the instance is running, if available.__meta_ec2_tag_<tagkey>: Each tag value of the instance.__meta_ec2_vpc_id: The ID of the VPC in which the instance is running, if available.
lightsail
__meta_lightsail_availability_zone: The availability zone in which the instance is running.__meta_lightsail_blueprint_id: The Lightsail blueprint ID.__meta_lightsail_bundle_id: The Lightsail bundle ID.__meta_lightsail_instance_name: The name of the Lightsail instance.__meta_lightsail_instance_state: The state of the Lightsail instance.__meta_lightsail_instance_support_code: The support code of the Lightsail instance.__meta_lightsail_private_ip: The private IP address of the instance.__meta_lightsail_public_ip: The public IP address of the instance, if available.__meta_lightsail_region: The region of the instance.__meta_lightsail_tag_<tagkey>: Each tag value of the instance.
ecs
__meta_ecs_availability_zone: The availability zone of the task.__meta_ecs_cluster: The name of the ECS cluster.__meta_ecs_cluster_arn: The ARN of the ECS cluster.__meta_ecs_container_instance_arn: The ARN of the container instance the task runs on, if available.__meta_ecs_desired_status: The desired status of the task.__meta_ecs_ec2_instance_id: The ID of the backing EC2 instance, if available.__meta_ecs_ec2_instance_private_ip: The private IP of the backing EC2 instance, if available.__meta_ecs_ec2_instance_public_ip: The public IP of the backing EC2 instance, if available.__meta_ecs_ec2_instance_type: The type of the backing EC2 instance, if available.__meta_ecs_health_status: The health status of the task.__meta_ecs_ip_address: The IP address of the task.__meta_ecs_last_status: The last known status of the task.__meta_ecs_launch_type: The launch type of the task, for exampleEC2orFARGATE.__meta_ecs_network_mode: The network mode of the task.__meta_ecs_platform_family: The platform family of the task.__meta_ecs_platform_version: The platform version of the task.__meta_ecs_public_ip: The public IP of the task, if available.__meta_ecs_region: The region of the task.__meta_ecs_service: The name of the ECS service.__meta_ecs_service_arn: The ARN of the ECS service.__meta_ecs_service_status: The status of the ECS service.__meta_ecs_subnet_id: The subnet ID of the task, if available.__meta_ecs_tag_<tagkey>: Each tag value on the task, service, cluster, or backing EC2 instance, prefixed by the resource it belongs to.__meta_ecs_task_arn: The ARN of the task.__meta_ecs_task_definition: The task definition of the task.__meta_ecs_task_group: The task group of the task.
elasticache, msk, and rds
These roles attach labels under the __meta_elasticache_, __meta_msk_, and __meta_rds_ prefixes respectively, describing the discovered cluster, node, instance, and tag attributes.
Refer to the Prometheus aws_sd_config documentation for the current set of labels for these roles.
Component health
discovery.aws is only reported as unhealthy when given an invalid configuration.
In those cases, exported fields retain their last healthy values.
Debug information
discovery.aws doesn’t expose any component-specific debug information.
Debug metrics
discovery.aws doesn’t expose any component-specific debug metrics.
Example
discovery.aws "ecs" {
role = "ecs"
region = "us-east-1"
}
prometheus.scrape "demo" {
targets = discovery.aws.ecs.targets
forward_to = [prometheus.remote_write.demo.receiver]
}
prometheus.remote_write "demo" {
endpoint {
url = "<PROMETHEUS_REMOTE_WRITE_URL>"
basic_auth {
username = "<USERNAME>"
password = "<PASSWORD>"
}
}
}Replace the following:
<PROMETHEUS_REMOTE_WRITE_URL>: The URL of the Prometheus remote_write-compatible server to send metrics to.<USERNAME>: The username to use for authentication to theremote_writeAPI.<PASSWORD>: The password to use for authentication to theremote_writeAPI.
Compatible components
discovery.aws has exports that can be consumed by the following components:
- Components that consume Targets
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.


