From bf9f94eb9da63bee4168b7d4f3c72862c4797ad0 Mon Sep 17 00:00:00 2001
From: Adam Johnson <me@adamj.eu>
Date: Fri, 13 Oct 2017 19:04:40 +0100
Subject: [PATCH] Fix cloudwatch output requires unneeded permissions (#3335)

---
 plugins/outputs/cloudwatch/README.md     |  2 ++
 plugins/outputs/cloudwatch/cloudwatch.go | 16 ++++++++--------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/plugins/outputs/cloudwatch/README.md b/plugins/outputs/cloudwatch/README.md
index 5544b25c..c44ac4ea 100644
--- a/plugins/outputs/cloudwatch/README.md
+++ b/plugins/outputs/cloudwatch/README.md
@@ -13,6 +13,8 @@ API endpoint. In the following order the plugin will attempt to authenticate.
 5. [Shared Credentials](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#shared-credentials-file)
 6. [EC2 Instance Profile](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
 
+The IAM user needs only the `cloudwatch:PutMetricData` permission.
+
 ## Config
 
 For this output plugin to function correctly the following variables
diff --git a/plugins/outputs/cloudwatch/cloudwatch.go b/plugins/outputs/cloudwatch/cloudwatch.go
index a04e86cd..b14953db 100644
--- a/plugins/outputs/cloudwatch/cloudwatch.go
+++ b/plugins/outputs/cloudwatch/cloudwatch.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cloudwatch"
+	"github.com/aws/aws-sdk-go/service/sts"
 
 	"github.com/influxdata/telegraf"
 	internalaws "github.com/influxdata/telegraf/internal/config/aws"
@@ -71,21 +72,20 @@ func (c *CloudWatch) Connect() error {
 	}
 	configProvider := credentialConfig.Credentials()
 
-	svc := cloudwatch.New(configProvider)
+	stsService := sts.New(configProvider)
 
-	params := &cloudwatch.ListMetricsInput{
-		Namespace: aws.String(c.Namespace),
-	}
+	params := &sts.GetSessionTokenInput{}
 
-	_, err := svc.ListMetrics(params) // Try a read-only call to test connection.
+	_, err := stsService.GetSessionToken(params)
 
 	if err != nil {
-		log.Printf("E! cloudwatch: Error in ListMetrics API call : %+v \n", err.Error())
+		log.Printf("E! cloudwatch: Cannot use credentials to connect to AWS : %+v \n", err.Error())
+		return err
 	}
 
-	c.svc = svc
+	c.svc = cloudwatch.New(configProvider)
 
-	return err
+	return nil
 }
 
 func (c *CloudWatch) Close() error {
-- 
GitLab