Troubleshoot the AWS account prerequisites
Use this information to troubleshoot issues relating to the AWS single and multiple account prerequisites.
[ERROR]:"Missing the SplunkDMReadOnly role or incorrect trust relationship. Ask your AWS admin to prepare the prerequisites that you need for the next steps."
A data input cannot be created because the SplunkDMReadOnly
IAM role for single accounts is missing.
Cause
Data Manager uses the SplunkDMReadOnly
IAM role to ingest data from your AWS deployment. If the SplunkDMReadOnly
role does not exist on your AWS account, then the Prerequisite step of Data Manager will fail.
Solution
- Log into the AWS account that you are trying to onboard.
- Navigate to IAM > Roles and check if the AWS account has the
SplunkDMReadOnly
role. - If the AWS account does not have the
SplunkDMReadOnly
role, follow the steps in the AWS documentation to create theSplunkDMReadOnly
role with the correct policy and trust relationship. - If the
SplunkDMReadOnly
role is present, check if there is a role policy attached or of there is an inline role policy .- If a role policy does not exist, create a new role policy by following the steps in the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
- If a role policy is attached to the role, or if you have an inline role policy, make sure the role policy has the same permissions listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
- If the permissions are same as the ones listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager, make sure the trust relationship is same as well.
- If the
SplunkDMReadOnly
exists and has the correct policy and trust relationship in your AWS account and you still see errors, something may have changed on the IAM role attached to the Splunk instance. Contact Splunk Support.
[ERROR]:The prerequisite roles do not exist in the following highlighted accounts. Ask your AWS admin to prepare the policies and onboarding roles that you need for the next steps.
When trying to onboard multiple AWS accounts, an error is shown indicating that the prerequisite roles do not exist.
The Control account in a multi account AWS setup is the AWS account where you run all the AWS CloudFormation templates.
The Data account in a multi account AWS setup is the AWS account that Data Manager ingests data from.
Cause
A data input cannot be created because the AWSCloudFormationStackSetAdministrationRole
role is missing.
Solution
- Verify the
AWSCloudFormationStackSetAdministrationRole
IAM role configuration in the AWS control account.- Login to the AWS control account and make sure the
AWSCloudFormationStackSetAdministrationRole
exists. - If the
AWSCloudFormationStackSetAdministrationRole
does not exist, navigate to IAM > Roles > Create Role and click on policies and onboarding roles to create the role. - If the
AWSCloudFormationStackSetAdministrationRole
already exists, make sure there is a role policy attached to it or if an inline policy exists. - If the policy does not exist, create the policy.
- Click Attach policies.
- Navigate to the Prerequisites data onboarding page and click policies and onboarding roles.
- Copy the role policy permissions and create the role policy.
- If a policy is attached to the role, make sure the permissions are same as listed in the "policies and onboarding roles".
- Login to the AWS control account and make sure the
- Verify the
AWSCloudFormationStackSetExecutionRole
IAM role configuration in data account.- Login to the data account(s) and make sure the
AWSCloudFormationStackSetExecutionRole
exists in the data accounts that you trying to onboard. - If the
AWSCloudFormationStackSetExecutionRole
does not exist in the data account, navigate to IAM > roles > Create Role and click on "policies and onboarding roles" on the Prerequisites page to create the role. - If the
AWSCloudFormationStackSetAdministrationRole
already exists in the data accounts, make sure there is a role policy attached to the role. - If the policy does not exist, create the policy.
- Click on Attach policies.
- Navigate to the Prerequisites data onboarding page and click policies and onboarding roles.
- Copy the role policy permissions and create the role policy.
- If a policy is attached to the role, make sure the permissions are same as listed on the "policies and onboarding roles" link on the Prerequisites page.
- Login to the data account(s) and make sure the
- Verify the
SplunkDMReadOnly
IAM role configuration in the control account and data accounts.- Log into the AWS account that you are trying to onboard.
- Navigate to IAM > Roles and check if the AWS account has the
SplunkDMReadOnly
role. - If the AWS account does not have the
SplunkDMReadOnly
role, follow the steps in the AWS documentation to create theSplunkDMReadOnly
role with the correct policy and trust relationship. - If the
SplunkDMReadOnly
role is present, check if there is a role policy attached or of there is an inline role policy .- If a role policy does not exist, create a new role policy by following the steps in the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
- If a role policy is attached to the role, or if you have an inline role policy, make sure the role policy has the same permissions listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
- If the permissions are same as the ones listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager, make sure the trust relationship is same as well.
- If the configuration is correct and you are still seeing this error message, Contact Splunk Support.
Authorization errors
Authorization errors are shown while configuring the AWS prerequisites.
Cause
The Splunk software is not able to assume a role to one of your AWS accounts.
Solution
- Verify that the
SplunkDMReadOnly
IAM role has changed on the AWS account shown in the error message.- Navigate to
on resource: aen:aws:iam::<Your AWS Account ID>:role/SplunkDMReadOnly
to find the AWS account ID . - Start creating a new AWS input and check the Prerequisites instructions page. Verify that the
SplunkDMReadOnly
role exists and the role policy and trust relationship is correct. Cancel creating the new AWS input.
- Navigate to
- If the
SplunkDMReadOnly
exists, and has the correct policy and trust relationship in your AWS account, something has changed on the IAM role attached to the Splunk Cloud Platform instance. Contact Splunk Support.
Prerequisites for troubleshooting AWS data ingestion | Troubleshoot the AWS CloudFormation Template deployment |
This documentation applies to the following versions of Data Manager: 1.6.1
Feedback submitted, thanks!