Enable Application Signals on Amazon EC2
For applications running on Amazon EC2 or other instance types,
you install and configure the CloudWatch agent and AWS Distro for OpenTelemetry yourself.
On these architectures enabled with a custom Application Signals setup, Application Signals
doesn't autodiscover the names of your services or the hosts or clusters they run on. You must
specify these names during the custom setup, and the names that you specify are what is displayed
on Application Signals dashboards.
The instructions in this section are for both Java applications and Python applications. The steps have been tested on Amazon EC2 instances, but are also expected to work on other
architectures that support AWS Distro for OpenTelemetry.
Requirements
To get support for Application Signals, you must use the most recent version of both the CloudWatch
agent and the AWS Distro for OpenTelemetry agent.
You must have the AWS CLI installed on the instance. We recommend AWS CLI version 2, but version 1
should also work. For more information about installing the AWS CLI, see
Install or update the latest version of the AWS CLI.
Step 1: Enable Application Signals
in your account
If you haven't enabled Application Signals in this account yet, you must grant Application
Signals the permissions it needs to discover your services. To do so, do the following.
You need to do this only once for your account.
To enable Application Signals for your applications
Open the CloudWatch console at
https://console.aws.amazon.com/cloudwatch/.
In the navigation pane, choose Services.
Choose Start discovering your Services.
Select the check box and choose Start discovering your Services.
When you complete this step for the first time in your account, Application Signals creates the
AWSServiceRoleForCloudWatchApplicationSignals
service-linked role. This role grants
Application Signals the following permissions:
-
xray:GetServiceGraph
-
logs:StartQuery
-
logs:GetQueryResults
-
cloudwatch:GetMetricData
-
cloudwatch:ListMetrics
-
tag:GetResources
For more information about this role, see
Service-linked role permissions for
CloudWatch Application Signals.
Step 2: Download and start the CloudWatch agent
To install the CloudWatch agent as part of enabling Application Signals on an Amazon EC2 instance or on-premises host
Download the latest version of the CloudWatch agent to the instance. If the instance already has the CloudWatch agent
installed, you might need to update it. Only versions of the agent released on November 30, 2023 or later support
CloudWatch Application Signals.
For information about downloading the CloudWatch agent, see
Download
the CloudWatch agent package.
Before you start the CloudWatch agent, configure it to enable Application Signals. The following
example is a CloudWatch agent configuration that enables Application Signals for both metrics
and traces on an EC2 host.
We recommend that you place this file at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
on Linux systems.
{
"traces": {
"traces_collected": {
"application_signals": {}
}
},
"logs": {
"metrics_collected": {
"application_signals": {}
}
}
}
Attach the CloudWatchAgentServerPolicy
IAM policy to the IAM role of
your Amazon EC2 instance. For permissions for on-premises hosts, see Permissions for on-premises servers.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Choose Roles and find the role used by your Amazon EC2 instance. Then choose the
name of that role.
In the Permissions tab, choose Add permissions,
Attach policies.
Find CloudWatchAgentServerPolicy. Use the search box if needed. Then select the check
box for that policy and choose Add permissions.
Start the CloudWatch agent by entering the following commands. Replace agent-config-file-path
with the path to the CloudWatch agent configuration file, such as ./amazon-cloudwatch-agent.json
. You must
include the file:
prefix as shown.
export CONFIG_FILE_PATH=./amazon-cloudwatch-agent.json
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \
-a fetch-config \
-m ec2 -s -c file:agent-config-file-path
Permissions for on-premises servers
For an on-premises host, you will need to provide AWS authorization to your device.
To set up permissions for an on-premises host
Create the IAM user to be used to provide permissions to your on-premises host:
Open the IAM console at
https://console.aws.amazon.com/iam/.
Choose Users, Create User.
In User details, for User name, enter a name for the new IAM user. This is the sign-in name for AWS that will be used to authenticate your host. Then
choose Next
On the Set permissions page, under Permissions options, select Attach policies directly.
From the Permissions policies list, select the CloudWatchAgentServerPolicy policy to add to your user. Then choose Next.
On the Review and create page, ensure that you are satisfied with the user name and that the CloudWatchAgentServerPolicy policy is in the Permissions summary.
Choose Create user
Create and retrieve your AWS access key and secret key:
In the navigation pane in the IAM console, choose Users and then select the user name of the user that you created in the previous step.
On the user's page, choose the Security credentials tab. Then, in the Access keys section, choose Create access key.
For Create access key Step 1, choose Command Line Interface (CLI).
For Create access key Step 2, optionally enter a tag and then choose Next.
For Create access key Step 3, select Download .csv file to save a .csv file with your IAM user's access key and secret access key. You need this information for the next steps.
Choose Done.
Configure your AWS credentials in your on-premises host by entering the following command. Replace ACCESS_KEY_ID
and SECRET_ACCESS_ID
with your newly generated access key and secret access key from the .csv file that you downloaded in the previous step.
$ aws configure
AWS Access Key ID [None]: ACCESS_KEY_ID
AWS Secret Access Key [None]: SECRET_ACCESS_ID
Default region name [None]: MY_REGION
Default output format [None]: json
Step 3: Instrument your application and start it
The next step is to instrument your application for CloudWatch Application Signals.
- Java
-
To instrument your Java applications as part of enabling Application Signals on an Amazon EC2 instance or on-premises host
Download the latest version of the AWS Distro for OpenTelemetry
Java auto-instrumentation agent. You can download the latest version by using
this link. You can view information about all released versions at
aws-otel-java-instrumentation Releases.
To optimize your Application Signals benefits, use environment variables to
provide additional information before you start your application. This information will be displayed
in Application Signals dashboards.
For the OTEL_RESOURCE_ATTRIBUTES
variable, specify the following information as
key-value pairs:
(Optional) service.name
sets the name of the service. This will be displayed as the service
name for your application in Application Signals dashboards. If you don't provide a value for this key, the
default of UnknownService
is used.
(Optional) deployment.environment
sets the environment that the application runs in.
This will be diplayed as the Hosted In environment of your
application in Application Signals dashboards. If you don't specify this, one of the following defaults is used:
If this is an instance that is part of an Auto Scaling group, it is set to ec2:name-of-Auto-Scaling-group
If this is an Amazon EC2 instance that is not part of an Auto Scaling group, it is set to ec2:default
If this is an on-premises host, it is set to generic:default
This environment variable is used only by Application Signals, and is converted into X-Ray trace annotations
and CloudWatch metric dimensions.
For the OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
variable, specify the base endpoint URL where
traces are to be exported to. The CloudWatch agent exposes 4316 as its OTLP port. On Amazon EC2, because applications
communicate with the local CloudWatch agent, you should set this value to
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4316/v1/traces
For the OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT
variable, specify the base endpoint URL where
metrics are to be exported to. The CloudWatch agent exposes 4316 as its OTLP port. On Amazon EC2, because applications
communicate with the local CloudWatch agent, you should set this value to
OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT=http://localhost:4316/v1/metrics
For the JAVA_TOOL_OPTIONS
variable, specify the path where the AWS Distro for OpenTelemetry
Java auto-instrumentation agent is stored.
export JAVA_TOOL_OPTIONS=" -javaagent:$AWS_ADOT_JAVA_INSTRUMENTATION_PATH
"
For example:
export AWS_ADOT_JAVA_INSTRUMENTATION_PATH=./aws-opentelemetry-agent.jar
For the OTEL_METRICS_EXPORTER
variable, we recommend that you set the value to
none
. This disables other metrics exporters so that only the
Application Signals exporter is used.
Set OTEL_AWS_APPLICATION_SIGNALS_ENABLED
to true
. This generates
Application Signals metrics from traces.
Start your application with the environment variables listed in the previous step. The following
is an example of a starting script.
The following configuration supports only versions 1.32.2 and later of the AWS Distro for OpenTelemetry auto-instrumentation agent for Java.
JAVA_TOOL_OPTIONS=" -javaagent:$AWS_ADOT_JAVA_INSTRUMENTATION_PATH" \
OTEL_METRICS_EXPORTER=none \
OTEL_LOGS_EXPORT=none \
OTEL_AWS_APPLICATION_SIGNALS_ENABLED=true \
OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT=http://localhost:4316/v1/metrics \
OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf \
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4316/v1/traces \
OTEL_RESOURCE_ATTRIBUTES=service.name=$YOUR_SVC_NAME
\
java -jar $MY_JAVA_APP.jar
(Optional) To enable trace log correlation, set an additional environment variable aws.log.group.names
to be the log group name for your application log.
Then the traces from your application can be correlated with the relevant log entries from this specific log group. To enable trace log correlation, you also need to change the
logging
configuration in your application. For more information, see Enable trace log correlation.
The following is an example of a starting script that helps enable trace log correlation.
JAVA_TOOL_OPTIONS=" -javaagent:$AWS_ADOT_JAVA_INSTRUMENTATION_PATH" \
OTEL_METRICS_EXPORTER=none \
OTEL_LOGS_EXPORT=none \
OTEL_AWS_APPLICATION_SIGNALS_ENABLED=true \
OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT=http://localhost:4316/v1/metrics \
OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf \
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4316/v1/traces \
OTEL_RESOURCE_ATTRIBUTES=aws.log.group.names=$YOUR_APPLICATION_LOG_GROUP
,service.name=$YOUR_SVC_NAME
\
java -jar $MY_JAVA_APP.jar
- Python
-
To instrument your Python applications as part of enabling Application Signals on an Amazon EC2 instance
Download the latest version of the AWS Distro for OpenTelemetry
Python auto-instrumentation agent. Install it by running the following command.
pip install aws-opentelemetry-distro
You can view information about all released versions at
AWS Distro for OpenTelemetry Python instrumentation.
To optimize your Application Signals benefits, use environment variables to
provide additional information before you start your application. This information will be displayed
in Application Signals dashboards.
For the OTEL_RESOURCE_ATTRIBUTES
variable, specify the following information as
key-value pairs:
service.name
sets the name of the service. This will be diplayed as the service
name for your application in Application Signals dashboards. If you don't provide a value for this key, the
default of UnknownService
is used.
deployment.environment
sets the environment that the application runs in.
This will be diplayed as the Hosted In environment of your
application in Application Signals dashboards. If you don't specify this, one of the following defaults is used:
If this is an instance that is part of an Auto Scaling group, it is set to ec2:name-of-Auto-Scaling-group
.
If this is an Amazon EC2 instance that is not part of an Auto Scaling group, it is set to ec2:default
If this is an on-premises host, it is set to generic:default
This
attribute key is used only by Application Signals, and is converted into X-Ray trace annotations and
CloudWatch metric dimensions.
For the OTEL_EXPORTER_OTLP_PROTOCOL
variable, specify http/protobuf
to export telemetry
data over HTTP to the CloudWatch agent endpoints listed in the following steps.
For the OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
variable, specify the base endpoint URL where
traces are to be exported to. The CloudWatch agent exposes 4316 as its OTLP port over HTTP. On Amazon EC2, because applications
communicate with the local CloudWatch agent, you should set this value to
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4316/v1/traces
For the OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT
variable, specify the base endpoint URL where
metrics are to be exported to. The CloudWatch agent exposes 4316 as its OTLP port over HTTP. On Amazon EC2, because applications
communicate with the local CloudWatch agent, you should set this value to
OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT=http://localhost:4316/v1/metrics
For the OTEL_METRICS_EXPORTER
variable, we recommend that you set the value to
none
. This disables other metrics exporters so that only the
Application Signals exporter is used.
Set the OTEL_AWS_APPLICATION_SIGNALS_ENABLED
variable to true
to have your container start sending X-Ray traces and CloudWatch metrics
to Application Signals.
Start your application with the environment variables discussed in the previous step. The following
is an example of a starting script.
Replace $SVC_NAME
with your application name. This will
be displayed as the name of the application, in Application Signals dashboards.
Replace $PYTHON_APP
with the location and name of your application.
OTEL_METRICS_EXPORTER=none \
OTEL_LOGS_EXPORTER=none \
OTEL_AWS_APPLICATION_SIGNALS_ENABLED=true \
OTEL_PYTHON_DISTRO=aws_distro \
OTEL_PYTHON_CONFIGURATOR=aws_configurator \
OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf \
OTEL_TRACES_SAMPLER=xray \
OTEL_TRACES_SAMPLER_ARG="endpoint=http://localhost:2000" \
OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT=http://localhost:4316/v1/metrics \
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4316/v1/traces \
OTEL_RESOURCE_ATTRIBUTES=service.name=$SVC_NAME
\
opentelemetry-instrument python $MY_PYTHON_APP.py
Before you enable Application Signals for your Python applications, be aware of the following considerations.
In some containerized applications, a missing PYTHONPATH
environment variable can sometimes
cause the application to fail to start. To resolve this, ensure that you set the PYTHONPATH
environment variable
to the location of your application’s working directory. This is due to a known issue with OpenTelemetry auto-instrumentation.
For more information about this issue, see
Python autoinstrumentation setting of PYTHONPATH is not compliant.
For Django applications, there are additional required configurations, which are outlined
in the
OpenTelemetry Python documentation.
Use the --noreload
flag to prevent automatic reloading.
Set the DJANGO_SETTINGS_MODULE
environment variable to the location of your Django
application’s settings.py
file. This ensures that OpenTelemetry can correctly access and integrate with your Django settings.
(Optional) To enable trace log correlation, set an additional environment variable aws.log.group.names
to be the log group name for your application log.
Then the traces from your application can be correlated with the relevant log entries from this specific log group. To enable trace log correlation, you also need to change the
logging
configuration in your application. For more information, see Enable trace log correlation.
The following is an example of a starting script that helps enable trace log correlation.
OTEL_METRICS_EXPORTER=none \
OTEL_LOGS_EXPORTER=none \
OTEL_AWS_APPLICATION_SIGNALS_ENABLED=true \
OTEL_PYTHON_DISTRO=aws_distro \
OTEL_PYTHON_CONFIGURATOR=aws_configurator \
OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf \
OTEL_TRACES_SAMPLER=xray \
OTEL_TRACES_SAMPLER_ARG="endpoint=http://localhost:2000" \
OTEL_AWS_APPLICATION_SIGNALS_EXPORTER_ENDPOINT=http://localhost:4316/v1/metrics \
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4316/v1/traces \
OTEL_RESOURCE_ATTRIBUTES=aws.log.group.names=$YOUR_APPLICATION_LOG_GROUP
,aws.hostedin.environment=$YOUR_HOST_ENV
,service.name=$YOUR_SVC_NAME
\
java -jar $MY_PYTHON_APP.jar