This error usually indicates an issue with the trust policy associated with the Datadog integration role. Most of the time, this issue is caused by the role delegation process.
Check the following points for the AWS account mentioned in the error:
When creating an IAM role, ensure that you are using the correct IAM role name in the Datadog AWS integration page. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to DatadogIntegrationRole.
Ensure Datadog’s account ID 464622532012 is entered under Another AWS account. Entering any other account ID causes the integration to fail. Also ensure Required MFA is unchecked:
Generate a new AWS External ID under Account Details in the Datadog AWS Integration page and click Save:
Add the newly generated AWS External ID to your AWS trust policy:
Note that the error may persist in the UI for a few hours while the changes propagate.
If you see the STS AssumeRole error limited to one or a few regions:
Datadog is not authorized to perform action sts:AssumeRole Account affected:<account_id> Regions affected: us-east-1, eu-west-1
The source of the issue could be AWS Service Control Policies.
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.
To remove the error in the integration page, you can exclude regions in your AWS integration under the General tab, or use the Update an AWS integration API.
Still need help? Contact Datadog support.
Additional helpful documentation, links, and articles:
