How can I configure on-premises servers that use SSM Agent and the unified CloudWatch agent to use only temporary credentials?

Last updated: 2020-10-08

I have a hybrid environment with on-premises servers that use AWS Systems Manager Agent (SSM Agent) and the unified Amazon CloudWatch agent. How can I configure my on-premises servers to use only temporary credentials?


When installing the unified CloudWatch agent on-premises, specify an AWS Identity and Access Management (IAM) user with access and secret keys in the configuration file. These are long-term credentials that, for security reasons, some policies require you to periodically rotate. When SSM Agent is installed on-premises, it can assume an IAM role using the temporary credentials process.

To configure the unified CloudWatch agent to push metrics and logs from the on-premises server using the temporary credentials provided by SSM Agent:

1.    Configure the common-config.toml CloudWatch agent configuration file to point to the credentials file generated by SSM Agent.

Note: The configuration file can be found in the following directories:

  • For Linux, /opt/aws/amazon-cloudwatch-agent/etc
  • For Windows, C:\ProgramData\Amazon\AmazonCloudWatchAgent

The credentials file is updated every 30 minutes by SSM Agent with new temporary credentials. Linking the unified CloudWatch agent to the credentials file allows the CloudWatch agent to use the temporary credentials generated by SSM Agent.


shared_credential_profile = "default"
shared_credential_file = "C:\\Windows\\System32\\config\\systemprofile\\.aws\\credentials"


shared_credential_profile = "default"
shared_credential_file = "/root/.aws/credentials"

2.    Change permissions to allow the unified CloudWatch agent to read the SSM Agent credentials file.
For Windows: Both agents run with the SYSTEM user, so no permissions changes are required.
For Linux: The unified CloudWatch agent runs as the root user. The agent can also run as a user that you can specify in the agent's configuration file using the run_as_user option. If your agent runs as a user other than the root, you must grant permissions to allow the user to read the file.

3.    Add the region parameter in a new line at the end of the credential file of the SSM Agent. This is the file that you configured to point to shared_credential_file in step 1.

region = eu-west-1

Note: Be sure to replace eu-west-1 with your Region.

4.    (Windows only) Change the startup type of the unified CloudWatch agent service to Automatic (Delayed). This change confirms that the CloudWatch agent service starts after the SSM Agent service during boot-up.

5.    Attach the CloudWatchAgentServerPolicy IAM policy to the IAM Service Role for a Hybrid Environment, next to the required AmazonSSMManagedInstanceCore IAM policy.

Modify the common configuration for proxy or region information (Location of the common-config.toml file on Windows/Linux)

Using temporary credentials with AWS resources (Description of the temporary credentials process)

Create an IAM service role for a hybrid environment

Did this article help?

Do you need billing or technical support?