AWS console is showing performance insights for RDS instance, but aws CLI is saying it unauthorized

Question

Hi,
I am trying to get performance insights through AWS CLI. When I access the performance insights with my user through AWS console then it is working fine and all graphs and other data is showing, but once I try with same user through CLI, then it is showing Unauthorized exception.

Here the the command which I am trying

```
aws pi get-resource-metrics \
  --service-type RDS \
  --identifier my-instance-identifer \
  --metric-queries Metric=db.load.avg \
  --start-time "$(date -u +%Y-%m-%dT%T --date '2 minutes ago')" \
  --end-time "$(date -u +%Y-%m-%dT%T)"
```
Result is:
**An error occurred (NotAuthorizedException) when calling the GetResourceMetrics operation: The resource `my-instance-identifer` for service type RDS is not authorized for this account**

I also tried to use AWS PHP SDK for same purpose but the error is the same

I tried to attach different policy **AmazonRDSPerformanceInsightsReadOnly** but it is not working

Will appreciate any help. Thanks

**EDIT: The account which I am using has AdministratorAccess policy attached**

Answer

For those who come across in the future --identifier  is NOT DBInstanceIdentifier in this case, it is the DbiResourceId . 
You can get it from 
```
aws rds describe-db-instances --db-instance-identifier   --query 'DBInstances[*].DbiResourceId'
```

Answer

Just checking when specifiying the identifier, you are specifying the ResourceID of the RDS Instance? eg db-ABCDEFGHIJKLMNOPQRSTU1VW2X

Answer

As per the [AWS documenation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.API.html#USER_PerfInsights.API.Examples) for retrieving metrics with the Performance Insights API, we need to use the `resource ID` for the DB instance which will be in  the format of `db-ID`.

The following example shows how to gather the same data that the AWS Management Console uses to generate the two counter metric charts.

```
aws pi get-resource-metrics ^
   --service-type RDS ^
   --identifier db-ID ^
   --start-time 2018-10-30T00:00:00Z ^
   --end-time   2018-10-30T01:00:00Z ^
   --period-in-seconds 60 ^
   --metric-queries '[{"Metric": "os.cpuUtilization.user.avg"  },
                      {"Metric": "os.cpuUtilization.idle.avg"}]'
```
Kindly update the identifier value with the resource ID of the DB instance. It will be available in the configuration section of the RDS instance.

Answer

We are having the same issue. The awscli on our local machines is giving "Access denied", and when using the same user in CloudShell is working as expected.

Answer

I have gone through a number of resources and found this help!
This might not be the exact answer but it is the alternative way of doing it

The command which could get Performance insights metrics can be get from cloudwatch
Here is the command:

```
aws cloudwatch get-metric-statistics     --region {your-region} \
     --namespace AWS/RDS \
     --metric-name DBLoad \
      --period 60 \
     --statistics Average \
     --start-time 1689012463 \
     --end-time 1689084823 \
     --dimensions Name=DBInstanceIdentifier,Value={db-identifier}
```

Note: Here the db-identifier value will be without `db` keyword

Answer

If you are able to access the RDS instance metrics using the AWS console but encountering the  "NotAuthorizedException" error when using the AWS CLI, there could be a few possible reasons for this discrepancy. Here are some troubleshooting steps you can try:

1. Verify AWS CLI configuration: Double-check that the AWS CLI is configured with the correct credentials. Run the following command to verify your AWS CLI configuration:
aws configure

Ensure that the AWS Access Key ID and AWS Secret Access Key provided during the configuration process match the credentials associated with the AWS account that has access to the RDS instance.

Check AWS CLI permissions: Confirm that the IAM user or role associated with the AWS CLI has the necessary permissions to access RDS metrics. Review the IAM policies attached to the IAM user or role and ensure that they include the required permissions for the "rds:GetResourceMetrics" action.

Verify the AWS CLI region: Ensure that the AWS CLI is set to the correct region by running the following command:

aws configure get region

Compare the region returned by this command with the region where your RDS instance is deployed. If they do not match, you can update the region by running aws configure and providing the correct region.

Update AWS CLI version: Check if you have the latest version of the AWS CLI installed. Outdated versions may have compatibility issues or bugs that can cause unexpected errors. Updating the AWS CLI to the latest version can help resolve such issues.

Confirm AWS CLI profile: If you have multiple AWS profiles configured on your system, make sure you are using the correct profile with the AWS CLI. You can specify the profile using the --profile flag in your AWS CLI commands. For example:

aws rds get-resource-metrics --profile your_profile_name

Replace your_profile_name with the name of the profile that has the necessary permissions to access RDS metrics.

Check for any AWS CLI plugins or custom configurations: If you have any AWS CLI plugins or custom configurations that may interfere with the RDS API calls, consider disabling them temporarily to see if it resolves the issue.

Answer

If you are running the CLi from your machine and you are using IAM Access keys, ensure the keys are for the correct account.

AWS console is showing performance insights for RDS instance, but aws CLI is saying it unauthorized

Relevant content