Configure Kloudfuse for AWS Enrichment

Table of Contents

Step 1: Configure AWS Credentials
- Option A — Access Key Authentication
- Option B — IAM Role ARN (Recommended for Multi-Account)
Step 2: Enable Enrichment in Helm Values
- Option A — Access Key
- Option B — IAM Role ARN
Step 3: Apply the Helm Upgrade
Namespaces
Regions
- Global Default Regions
- Per-Scraper Region Filtering
Scrape Intervals
FIPS Endpoints
Next Steps

AWS enrichment attaches resource metadata — such as instance type, availability zone, environment tags, and custom resource tags — to metrics and logs ingested from CloudWatch and Lambda. Without enrichment, signals only carry the default dimensions provided by AWS. With enrichment enabled, every metric and log record also carries any tag applied to the underlying resource in AWS.

This page covers the one-time Kloudfuse configuration shared across the CloudWatch Metrics, CloudWatch Logs, and Lambda integrations. Complete these steps after setting up the AWS-side resources (Kinesis Firehose streams, IAM policies) described in the individual integration pages.

Step 1: Configure AWS Credentials

The Kloudfuse enrichment scraper needs read access to AWS resource metadata APIs. Choose one authentication method.

Option A — Access Key Authentication

Create a Kubernetes secret in the kfuse namespace containing the AWS access key and secret:

kubectl create secret generic aws-access-key \
  -n kfuse \
  --from-literal=accessKey=<AWS_ACCESS_KEY_ID> \
  --from-literal=secretKey=<AWS_SECRET_ACCESS_KEY>

bash

The secret name (aws-access-key) is referenced in the Helm values in the next step.

Option B — IAM Role ARN (Recommended for Multi-Account)

If you prefer role-based authentication — for example, when scraping resources across multiple AWS accounts — no Kubernetes secret is required. Instead, reference the role ARN directly in the Helm values. The IAM role must have a trust relationship that allows the Kloudfuse ingester pod to assume it (via IRSA or a cross-account trust policy).

When using role-based authentication, disable secret mounting so the chart does not attempt to mount a non-existent secret:

ingester:
  config:
    awsScraper:
      useSecret: false

yaml

Step 2: Enable Enrichment in Helm Values

Add the following to your custom-values.yaml and run a Helm upgrade (see Step 3).

Option A — Access Key

global:
  enrichmentEnabled:
    - aws

ingester:
  config:
    awsScraper:
      secretName: aws-access-key   # must match the secret created in Step 1
      namespaces:                  # see Namespaces section below — required
        - AWS/EC2
        - AWS/RDS
      regions:                     # required — list the regions you want to scrape
        - us-west-2

yaml

Option B — IAM Role ARN

global:
  enrichmentEnabled:
    - aws

ingester:
  config:
    awsRoleArns:
      - role: arn:aws:iam::<account-id>:role/KloudfuseEnrichmentRole
        namespaces:                # see Namespaces section below — required
          - AWS/EC2
          - AWS/RDS
        regions:                   # required — list the regions you want to scrape
          - us-west-2

yaml

To scrape resources across multiple accounts, add one entry per role:

ingester:
  config:
    awsRoleArns:
      - role: arn:aws:iam::<account-1-id>:role/KloudfuseEnrichmentRole
        namespaces:
          - AWS/EC2
        regions:
          - us-west-2
      - role: arn:aws:iam::<account-2-id>:role/KloudfuseEnrichmentRole
        namespaces:
          - AWS/RDS
        regions:
          - us-east-1

yaml

Step 3: Apply the Helm Upgrade

helm upgrade --install kfuse oci://us-east1-docker.pkg.dev/mvp-demo-301906/kfuse-helm/kfuse \
  -n kfuse \
  --version <VERSION> \ (1)
  -f custom-values.yaml

1	Replace `<VERSION>` with a valid Kloudfuse release value; use the most recent one.

Namespaces

AWS namespaces are not scraped by default — you must explicitly list the namespaces you want the enrichment scraper to fetch metadata for. Set the namespaces field under awsScraper or on each role entry under awsRoleArns.

If namespaces is omitted entirely, the scraper fetches metadata for all supported namespaces, which increases AWS API call volume and cost.

ingester:
  config:
    awsScraper:
      secretName: aws-access-key
      namespaces:
        - AWS/EC2
        - AWS/RDS
        - AWS/Lambda
        - AWS/ECS
        - AWS/DynamoDB
        - AWS/ElastiCache
        - AWS/ApplicationELB
        - AWS/S3

yaml

Match the namespaces list to the namespaces you have included in your CloudWatch Metrics Stream to avoid fetching metadata for services you are not monitoring. See AWS Supported Services for the full list of supported namespaces.

Regions

Region scope can be controlled at two levels.

Global Default Regions

ingester.config.awsRegions defines the set of regions the scraper considers when no per-scraper regions list is provided. Starting in Release 4.2.0, this list defaults to empty — you must opt in by explicitly listing the regions you want to scrape. Kloudfuse supports 18 regions:

Americas Europe Asia Pacific & Middle East

Americas	Europe	Asia Pacific & Middle East
`us-east-1`	`eu-west-1`	`ap-east-1`
`us-east-2`	`eu-west-2`	`ap-south-1`
`us-west-1`	`eu-west-3`	`ap-southeast-1`
`us-west-2`	`eu-central-1`	`ap-southeast-2`
`ca-central-1`	`eu-north-1`	`ap-northeast-1`
`sa-east-1`		`ap-northeast-2`
		`me-south-1`

us-east-1

eu-west-1

ap-east-1

us-east-2

eu-west-2

ap-south-1

us-west-1

eu-west-3

ap-southeast-1

us-west-2

eu-central-1

ap-southeast-2

ca-central-1

eu-north-1

ap-northeast-1

sa-east-1

ap-northeast-2

me-south-1

Set the global region list — for example, when your entire infrastructure runs in two regions — under awsRegions in your custom-values.yaml:

ingester:
  config:
    awsRegions:
      - us-west-2
      - us-east-1

yaml

Per-Scraper Region Filtering

The regions field on each awsScraper or awsRoleArns entry further restricts scraping to a subset of the global region list. Use this when different credentials or roles cover different subsets of regions:

ingester:
  config:
    awsRoleArns:
      - role: arn:aws:iam::<account-1-id>:role/KloudfuseEnrichmentRole
        namespaces:
          - AWS/EC2
        regions:
          - us-west-2        # only scrape this role in us-west-2
      - role: arn:aws:iam::<account-2-id>:role/KloudfuseEnrichmentRole
        namespaces:
          - AWS/RDS
        regions:
          - us-east-1        # only scrape this role in us-east-1

yaml

If regions is omitted on an entry, the global awsRegions list applies. Because awsRegions now defaults to empty, you must set regions at one level or the other — if both are empty, the entry scrapes no regions.

Scrape Intervals

The enrichment scraper runs on two separate intervals, both configurable:

Setting Default Description

Setting	Default	Description
`awsScrapeIntervalMinutes`	`30`	How often resource metadata (tags, instance attributes) is refreshed from AWS APIs
`awsScrapeMetricsIntervalMinutes`	`5`	How often metric-level enrichment data is updated

awsScrapeIntervalMinutes

30

How often resource metadata (tags, instance attributes) is refreshed from AWS APIs

awsScrapeMetricsIntervalMinutes

5

How often metric-level enrichment data is updated

To override the defaults:

ingester:
  config:
    awsScrapeIntervalMinutes: 15
    awsScrapeMetricsIntervalMinutes: 5

yaml

Reducing awsScrapeIntervalMinutes increases AWS API call frequency. The default of 30 minutes is appropriate for most deployments.

FIPS Endpoints

If your organisation requires FIPS 140-2 compliant communication with AWS APIs, enable FIPS endpoint mode. When enabled, the ingester sets AWS_USE_FIPS_ENDPOINT=true, which causes the AWS SDK to use FIPS-validated endpoints for all API calls.

global:
  fips:
    enabled: true

yaml

FIPS endpoints are not available in all AWS regions. Verify that the regions you are scraping support FIPS endpoints before enabling this setting.

Next Steps

After completing this configuration, return to the integration page you came from to verify that enriched data is arriving in Kloudfuse: