Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Monitor applicationsbreadcrumb arrow Database Observabilitybreadcrumb arrow Set upbreadcrumb arrow MySQLbreadcrumb arrow Amazon RDS
Grafana Cloud

Set up Amazon RDS for MySQL

Set up Database Observability with Grafana Cloud to collect telemetry from Amazon Relational Database Service (Amazon RDS) for MySQL instances using Grafana Alloy. You configure your Amazon RDS instance and Alloy to forward telemetry to Grafana Cloud.

What you’ll achieve

In this article, you:

  • Configure Amazon RDS for MySQL parameter groups for monitoring.
  • Create monitoring users with required privileges.
  • Configure Alloy with the Database Observability components.
  • Forward telemetry to Grafana Cloud.

Before you begin

Review these requirements:

  • Amazon RDS for MySQL 8.0 or later.
  • Access to modify Amazon RDS parameter groups.
  • Grafana Alloy deployed and accessible to your Amazon RDS instance.
  • Network connectivity between Alloy and your Amazon RDS instance endpoint.

For general MySQL setup concepts, refer to Set up MySQL.

Configure the DB parameter group

Enable Performance Schema and related instrumentation by configuring your RDS MySQL parameter group. These parameters require an instance restart to take effect.

Required parameters

ParameterValueNotes
performance_schema1Requires restart
performance_schema_max_digest_length4096Requires restart
performance_schema_max_sql_text_length4096Requires restart
max_digest_length4096Requires restart

Use the Amazon RDS console

  1. Open the RDS Console and navigate to Parameter groups.
  2. Create a new parameter group or modify an existing one with family mysql8.0.
  3. Set the parameters listed above.
  4. Apply the parameter group to your RDS instance.
  5. Reboot the instance to apply changes.

For detailed console instructions, refer to Working with parameter groups in the AWS documentation.

Use Terraform

Using Terraform with aws_db_parameter_group:

hcl 
resource "aws_db_parameter_group" "rds_mysql_monitoring" {
  name   = "<INSTANCE_NAME>-monitoring-params"
  family = "mysql8.0"

  parameter {
    name         = "performance_schema"
    value        = "1"
    apply_method = "pending-reboot"
  }

  parameter {
    name         = "performance_schema_max_digest_length"
    value        = "4096"
    apply_method = "pending-reboot"
  }

  parameter {
    name         = "performance_schema_max_sql_text_length"
    value        = "4096"
    apply_method = "pending-reboot"
  }

  parameter {
    name         = "max_digest_length"
    value        = "4096"
    apply_method = "pending-reboot"
  }
}

Replace <INSTANCE_NAME> with your RDS instance name.

After applying the parameter group to your instance, restart the instance for the changes to take effect.

Create a monitoring user and grant required privileges

Connect to your RDS MySQL instance and create the monitoring user:

Disable tracking of monitoring user queries

Grant object privileges for detailed data

Grant privileges to auto-enable consumers

Verify user privileges

Verify parameter group settings

Run and configure Alloy

Run Alloy and add the Database Observability configuration for your RDS instance.

Run the latest Alloy version

Add the RDS MySQL configuration blocks

Add these blocks to Alloy for RDS MySQL. Replace <DB_NAME>. Create a local.file with the Data Source Name string, for example, <DB_USER>:<DB_PASSWORD>@tcp(<INSTANCE_ENDPOINT>:<DB_PORT>)/:

Alloy 
local.file "mysql_secret_<DB_NAME>" {
  filename  = "/var/lib/alloy/mysql_secret_<DB_NAME>"
  is_secret = true
}

prometheus.exporter.mysql "mysql_<DB_NAME>" {
  data_source_name  = local.file.mysql_secret_<DB_NAME>.content
  enable_collectors = ["perf_schema.eventsstatements"]
  perf_schema.eventsstatements {
    text_limit = 0
  }
}

database_observability.mysql "mysql_<DB_NAME>" {
  data_source_name  = local.file.mysql_secret_<DB_NAME>.content
  forward_to        = [loki.relabel.database_observability_mysql_<DB_NAME>.receiver]
  targets           = prometheus.exporter.mysql.mysql_<DB_NAME>.targets

  cloud_provider {
    aws {
      arn = "<AWS_RDS_INSTANCE_ARN>"
    }
  }
}

loki.relabel "database_observability_mysql_<DB_NAME>" {
  forward_to = [loki.write.logs_service.receiver]

  // OPTIONAL: add any additional relabeling rules
  // (must be consistent with rules in "discovery.relabel")
  rule {
    target_label = "instance"
    replacement  = "<INSTANCE_LABEL>"
  }
}

discovery.relabel "database_observability_mysql_<DB_NAME>" {
  targets = database_observability.mysql.mysql_<DB_NAME>.targets

  rule {
    target_label = "job"
    replacement  = "integrations/db-o11y"
  }

  // OPTIONAL: add any additional relabeling rules
  // (must be consistent with rules in "loki.relabel")
  rule {
    target_label = "instance"
    replacement  = "<INSTANCE_LABEL>"
  }
}

prometheus.scrape "database_observability_mysql_<DB_NAME>" {
  targets    = discovery.relabel.database_observability_mysql_<DB_NAME>.output
  forward_to = [prometheus.remote_write.metrics_service.receiver]
}

Replace the placeholders:

  • DB_NAME: Database name Alloy uses in component identifiers (appears in component names and secret filenames).
  • AWS_RDS_INSTANCE_ARN: AWS RDS instance ARN for cloud provider integration.
  • INSTANCE_LABEL: Value that sets the instance label on logs and metrics (optional).
  • Secret file content DSN example: DB_USER:DB_PASSWORD@tcp(INSTANCE_ENDPOINT:DB_PORT)/.
    • DB_USER: Database user Alloy uses to connect (for example, db-o11y).
    • DB_PASSWORD: Password for the database user.
    • INSTANCE_ENDPOINT: RDS instance endpoint hostname.
    • DB_PORT: Database port number (default: 3306).

Find more about the options supported by the database_observability.mysql component in the reference documentation.

Add Prometheus and Loki write configuration

Run and configure Alloy with the Grafana Kubernetes Monitoring Helm chart

Extend your values.yaml when you use the k8s-monitoring Helm chart and set databaseObservability.enabled to true within the MySQL integration.

YAML 
integrations:
  collector: alloy-singleton
  mysql:
    instances:
      - name: <DB_NAME>
        jobLabel: integrations/db-o11y
        exporter:
          enabled: true
          collectors:
            perfSchemaEventsStatements:
              enabled: true
          dataSource:
            host: <INSTANCE_ENDPOINT>
            auth:
              usernameKey: <DB_USERNAME_SECRET_KEY>
              passwordKey: <DB_PASSWORD_SECRET_KEY>
        databaseObservability:
          enabled: true
          allowUpdatePerformanceSchemaSettings: true
          extraConfig: |
            cloud_provider {
              aws {
                arn = "<AWS_RDS_INSTANCE_ARN>"
              }
            }
        secret:
          create: false
          name: <DB_NAME>
          namespace: mysql
        logs:
          enabled: true
          labelSelectors:
            app.kubernetes.io/instance: <DB_NAME>

Replace the placeholders:

  • DB_NAME: Database name Alloy uses in component identifiers (appears in component names and secrets).
  • INSTANCE_ENDPOINT: RDS instance endpoint hostname.
  • DB_USERNAME_SECRET_KEY: Kubernetes secret key containing database user.
  • DB_PASSWORD_SECRET_KEY: Kubernetes secret key containing database password.
  • AWS_RDS_INSTANCE_ARN: AWS RDS instance ARN for cloud provider integration.

To see the full set of values, check out the k8s-monitoring Helm chart documentation or the example configuration.

Optional: Configure AWS Secrets Manager and Kubernetes

If you use AWS Secrets Manager with External Secrets Operator to manage database credentials, configure them as follows.

Secret path convention

Store monitoring credentials in AWS Secrets Manager at a path following this convention:

/kubernetes/rds/<INSTANCE_NAME>/monitoring

MySQL secret format

Store the secret as JSON with the following format:

JSON 
{
  "username": "db-o11y",
  "password": "<DB_O11Y_PASSWORD>",
  "engine": "mysql",
  "host": "<INSTANCE_ENDPOINT>.rds.amazonaws.com",
  "port": 3306,
  "dbInstanceIdentifier": "<INSTANCE_NAME>"
}

Replace the placeholders:

  • DB_O11Y_PASSWORD: Password for the db-o11y MySQL user.
  • INSTANCE_ENDPOINT: RDS instance endpoint hostname.
  • INSTANCE_NAME: RDS instance name.

Create the secret via AWS CLI

Bash 
aws secretsmanager create-secret \
  --name "/kubernetes/rds/<INSTANCE_NAME>/monitoring" \
  --description "Alloy monitoring credentials for RDS MySQL instance" \
  --secret-string '{"username":"db-o11y","password":"<DB_O11Y_PASSWORD>","engine":"mysql","host":"<INSTANCE_ENDPOINT>.rds.amazonaws.com","port":3306,"dbInstanceIdentifier":"<INSTANCE_NAME>"}'

Kubernetes External Secrets configuration

Use the External Secrets Operator to sync the AWS secret into Kubernetes:

YAML 
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: <INSTANCE_NAME>-db-monitoring-secretstore
spec:
  provider:
    aws:
      service: SecretsManager
      region: <AWS_REGION>
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: <INSTANCE_NAME>-db-monitoring-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: <INSTANCE_NAME>-db-monitoring-secretstore
  dataFrom:
    - extract:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kubernetes/rds/<INSTANCE_NAME>/monitoring
        metadataPolicy: None
        version: AWSCURRENT

Replace the placeholders:

  • INSTANCE_NAME: RDS instance name.
  • AWS_REGION: AWS region where the secret is stored.

Next steps