--- title: Integrate Amazon CloudWatch with Tiger Cloud | Tiger Data Docs description: Export telemetry data to monitor and analyze your service performance and health --- [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) is a monitoring and observability service designed to help collect, analyze, and act on data from applications, infrastructure, and services running in AWS and on-premises environments. You can export telemetry data from your Tiger Cloud services with the time-series and analytics capability enabled to CloudWatch. See [Exported metrics](/docs/integrate/observability-alerting/exported-metrics/index.md) for the full list of default and additional metrics you can export. This pages explains how to export telemetry data from your Tiger Cloud service into CloudWatch by creating a Tiger Cloud data exporter, then attaching it to the service. This integration is available for [Scale and Enterprise](/docs/deploy/tiger-cloud/tiger-cloud-aws/pricing-and-account-management#features-included-in-each-pricing-plan/index.md) pricing tiers. ## Prerequisites To follow the steps on this page: - Create a target [Tiger Cloud service](/docs/get-started/quickstart/create-service/index.md) with the Real-time analytics capability. You need your [connection details](/docs/integrate/find-connection-details/index.md). * Sign up for [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/GettingSetup.html). Note This feature is currently not supported for Tiger Cloud on Microsoft Azure. ## Create a data exporter A Tiger Cloud data exporter sends telemetry data from a Tiger Cloud service to a third-party monitoring tool. You create an exporter on the [project level](/docs/deploy/tiger-cloud/tiger-cloud-aws/security/members/index.md), in the same AWS region as your service: 1. **In Tiger Console, open Exporters** 2. **Click `New exporter`** 3. **Select the data type and specify `AWS CloudWatch` for provider** ![Adding a CloudWatch data exporter in Tiger Console](/docs/_astro/tiger-cloud-integrations-cloudwatch.19Hs9eva_ezt85.webp) 4. **Provide your AWS CloudWatch configuration** - The AWS region must be the same for your Tiger Cloud exporter and AWS CloudWatch Log group. - The exporter name appears in Tiger Console, best practice is to make this name easily understandable. - For CloudWatch credentials, either use an [existing CloudWatch Log group](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups) or [create a new one](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups/create-log-group). If you’re uncertain, use the default values. For more information, see [Working with log groups and log streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html). 5. **Choose the authentication method to use for the exporter** ![Configuring CloudWatch authentication in Tiger Console](/docs/_astro/tiger-cloud-integrations-cloudwatch-authentication.CBcUOfmq_1jCxT0.webp) - [IAM role](#tab-panel-628) - [CloudWatch credentials](#tab-panel-629) 1. **In AWS, navigate to IAM > Identity providers, then click `Add provider`.** 2. **Update the new identity provider with your details:** Set `Provider URL` to the [region where you are creating your exporter](/docs/integrate/observability-alerting/cloudwatch#reference/index.md). ![Creating an IAM OIDC identity provider in AWS](/docs/_astro/aws-create-iam-oicd-provider.BYYttbs9_Z4Cydc.webp) 3. **Click `Add provider`.** 4. **In AWS, navigate to IAM > Roles, then click `Create role`.** 5. **Add your identity provider as a Web identity role and click `Next`.** ![Creating a web identity IAM role in AWS](/docs/_astro/aws-create-role-web-identity.DnPD1ceR_Z1YqV2X.webp) 6. **Set the following permission and trust policies:** - Permission policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:PutRetentionPolicy", "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets", "xray:GetSamplingStatisticSummaries", "ssm:GetParameters" ], "Resource": "*" } ] } ``` - Role with a Trust Policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::12345678910:oidc-provider/irsa-oidc-discovery-prod.s3.us-east-1.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "irsa-oidc-discovery-prod.s3.us-east-1.amazonaws.com:aud": "sts.amazonaws.com" } } }, { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::12345678910:role/my-exporter-role" }, "Action": "sts:AssumeRole" } ] } ``` 1. Click `Add role`. When you use CloudWatch credentials, you link an Identity and Access Management (IAM) user with access to CloudWatch only with your Tiger Cloud service: 1. **Retrieve the user information from IAM > Users in AWS console.** If you do not have an AWS user with access restricted to CloudWatch only, [create one](https://console.aws.amazon.com/iam/home#/users/create). For more information, see [Creating IAM users (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). 2. **Enter the credentials for the AWS IAM user.** AWS keys give access to your AWS services. To keep your AWS account secure, restrict users to the minimum required permissions. Always store your keys in a safe location. To avoid this issue, use the IAM role authentication method. 6. **Select the AWS Region your CloudWatch services run in** 7. **Optionally tick `PostgreSQL metrics` to export additional metrics, then click `Create exporter`** See [Exported metrics](/docs/integrate/observability-alerting/exported-metrics#postgresql-metrics/index.md) for the full list. ## Manage a data exporter This section shows you how to attach, edit, and delete a data exporter. ### Attach a data exporter to a Tiger Cloud service To send telemetry data to an external monitoring tool, you attach a data exporter to your Tiger Cloud service. You can attach only one exporter to a service. To attach an exporter: 1. **In Tiger Console, choose the service** 2. **Click `Operations` > `Exporters`** 3. **Select the exporter, then click `Attach exporter`** 4. **If you are attaching a first `Logs` data type exporter, restart the service** You can now monitor your service metrics. ### Edit a data exporter To update a data exporter: 1. **In Tiger Console, open Exporters** 2. **Next to the exporter you want to edit, click the menu > `Edit`** 3. **Edit the exporter fields and save your changes** ### Delete a data exporter To remove a data exporter that you no longer need: 1. **Disconnect the data exporter from your Tiger Cloud service** 1. In [Tiger Console](https://console.cloud.tigerdata.com/dashboard/services), choose the service. 2. Click `Operations` > `Exporters`. 3. Click the trash can icon next to the exporter. 4. Repeat for every service attached to the exporter you want to remove. The data exporter is now unattached from all services. However, it still exists in your project. 2. **Delete the exporter on the project level** 1. In Tiger Console, open [Exporters](https://console.cloud.tigerdata.com/dashboard/integrations) 2. Next to the exporter you want to edit, click menu > `Delete` 3. Confirm that you want to delete the data exporter. ## Reference When you create the IAM OIDC provider, the URL must match the region you create the exporter in. It must be one of the following: | Region | Zone | Location | URL | | ---------------- | ------------- | -------------- | ------------------------------------------------------------------------- | | `ap-southeast-1` | Asia Pacific | Singapore | `irsa-oidc-discovery-prod-ap-southeast-1.s3.ap-southeast-1.amazonaws.com` | | `ap-southeast-2` | Asia Pacific | Sydney | `irsa-oidc-discovery-prod-ap-southeast-2.s3.ap-southeast-2.amazonaws.com` | | `ap-northeast-1` | Asia Pacific | Tokyo | `irsa-oidc-discovery-prod-ap-northeast-1.s3.ap-northeast-1.amazonaws.com` | | `ca-central-1` | Canada | Central | `irsa-oidc-discovery-prod-ca-central-1.s3.ca-central-1.amazonaws.com` | | `eu-central-1` | Europe | Frankfurt | `irsa-oidc-discovery-prod-eu-central-1.s3.eu-central-1.amazonaws.com` | | `eu-west-1` | Europe | Ireland | `irsa-oidc-discovery-prod-eu-west-1.s3.eu-west-1.amazonaws.com` | | `eu-west-2` | Europe | London | `irsa-oidc-discovery-prod-eu-west-2.s3.eu-west-2.amazonaws.com` | | `sa-east-1` | South America | São Paulo | `irsa-oidc-discovery-prod-sa-east-1.s3.sa-east-1.amazonaws.com` | | `us-east-1` | United States | North Virginia | `irsa-oidc-discovery-prod.s3.us-east-1.amazonaws.com` | | `us-east-2` | United States | Ohio | `irsa-oidc-discovery-prod-us-east-2.s3.us-east-2.amazonaws.com` | | `us-west-2` | United States | Oregon | `irsa-oidc-discovery-prod-us-west-2.s3.us-west-2.amazonaws.com` |