Search code examples
amazon-web-servicesamazon-cloudwatchaws-xray

CloudWatch RUM + X-Ray

I have CloudWatch RUM configured and working but now I want to configure X-Ray trace headers.

I have configured the CloudWatch RUM Web Client with the below options:

        telemetries: [
            'errors',
            'performance',
            ['http', { addXRayTraceIdHeader: true, recordAllRequests: true }]
        ],
        allowCookies: true,
        enableXRay: true

This should provide X-Ray headers for all requests so I can test that it's working, however I get no results displayed in X-Ray or the ServiceLens.

In the browser I'm not seeing any CORS errors and it appears all the amazon headers have been appended and sent successfully.

The documentation speaks of possible issues "Configuring the CloudWatch RUM web client to add an X-Ray trace header to HTTP requests can cause cross-origin resource sharing (CORS) to fail or invalidate the request's signature if the request is signed with Signature Version 4 (SigV4)."

If that is the case I'd expect to see failures in the developer console but I'm not seeing anything.

I'm at a loss as to what is wrong, any suggestions?

EDIT: Checking the headers again I can see X-Amzn-Trace-Id is not listed, the headers look like this. For some reason X-Amzn-Trace-Id isn't an allowed header.

Access-Control-Allow-Origin: * Access-Control-Allow-Headers: authorization,content-type,x-amz-content-sha256,x-amz-date,x-amz-security-token Access-Control-Allow-Methods: POST Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date

Solution

  • I have RUM set up in the front end with a config like so:

     const config: AwsRumConfig = {
        allowCookies: true,
        enableXRay: true,
        guestRoleArn: awsRumGuestRoleArn,
        identityPoolId: awsRumIdentityPoolId,
        sessionSampleRate: sessionSampleRate,
        telemetries: [
          'errors', 
          [ "performance", {recordAllTypes: ['document', 'script', 'other']} ],
          [ 'http', {
            recordAllRequests: true,
            addXRayTraceIdHeader: true,
            urlsToExclude: [
              new RegExp('https://dataplane.rum.us-west-2.amazonaws.com/.+')
            ]
          } ]],
        eventPluginsToLoad: []
      };

    ^ This excludes the HTTP requests sent to the RUM dataplane for the traces themselves.

    You might need to include the guest role ARN and other info. This successfully sends traces to my X Ray console. The role you use for your guest role should have these perms:

    {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "rum:PutRumEvents",
        "Resource": "arn:aws:rum:${REGION}:${ACCOUNT_ID}:appmonitor/${MONITOR_NAME}"
      }
    ]
}

    And these assume role permissions:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRoleWithWebIdentity",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "${APP_MONITOR_APPLICATION_ID}"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        }
      }
    }
  ]
}

    good luck.

    edit: Note, I had to add:

    "cognito-identity.amazonaws.com:amr": "authenticated"

    in addition to "unauthenticated".

    to the IAM assume role policy once I added Pinpoint, which uses AWS Amplify to log in. It seems that pinpoint uses authenticated credentials to send events to the backend.