Troubleshoot the AWS account prerequisites

Use this information to troubleshoot issues relating to the AWS single and multiple account prerequisites.

[ERROR]:"Missing the SplunkDMReadOnly role or incorrect trust relationship. Ask your AWS admin to prepare the prerequisites that you need for the next steps."

A data input cannot be created because the SplunkDMReadOnly IAM role for single accounts is missing.

Cause

Data Manager uses the SplunkDMReadOnly IAM role to ingest data from your AWS deployment. If the SplunkDMReadOnly role does not exist on your AWS account, then the Prerequisite step of Data Manager will fail.

Solution

  1. Log into the AWS account that you are trying to onboard.
  2. Navigate to IAM > Roles and check if the AWS account has the SplunkDMReadOnly role.
  3. If the AWS account does not have the SplunkDMReadOnly role, follow the steps in the AWS documentation to create the SplunkDMReadOnly role with the correct policy and trust relationship.
  4. If the SplunkDMReadOnly role is present, check if there is a role policy attached or of there is an inline role policy .
    1. If a role policy does not exist, create a new role policy by following the steps in the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
    2. If a role policy is attached to the role, or if you have an inline role policy, make sure the role policy has the same permissions listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
    3. If the permissions are same as the ones listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager, make sure the trust relationship is same as well.
  5. If the SplunkDMReadOnly exists and has the correct policy and trust relationship in your AWS account and you still see errors, something may have changed on the IAM role attached to the Splunk instance. Contact Splunk Support.

[ERROR]:The prerequisite roles do not exist in the following highlighted accounts. Ask your AWS admin to prepare the policies and onboarding roles that you need for the next steps.

When trying to onboard multiple AWS accounts, an error is shown indicating that the prerequisite roles do not exist.

Note: The Control account in a multi account AWS setup is the AWS account where you run all the AWS CloudFormation templates.
The Data account in a multi account AWS setup is the AWS account that Data Manager ingests data from.

Cause

A data input cannot be created because the AWSCloudFormationStackSetAdministrationRole role is missing.

Solution

  1. Verify the AWSCloudFormationStackSetAdministrationRole IAM role configuration in the AWS control account.
    1. Login to the AWS control account and make sure the AWSCloudFormationStackSetAdministrationRole exists.
    2. If the AWSCloudFormationStackSetAdministrationRole does not exist, navigate to IAM > Roles > Create Role and click on policies and onboarding roles to create the role.
    3. If the AWSCloudFormationStackSetAdministrationRole already exists, make sure there is a role policy attached to it or if an inline policy exists.
    4. If the policy does not exist, create the policy.
      1. Click Attach policies.
      2. Navigate to the Prerequisites data onboarding page and click policies and onboarding roles.
      3. Copy the role policy permissions and create the role policy.
    5. If a policy is attached to the role, make sure the permissions are same as listed in the "policies and onboarding roles".
  2. Verify the AWSCloudFormationStackSetExecutionRole IAM role configuration in data account.
    1. Login to the data account(s) and make sure the AWSCloudFormationStackSetExecutionRole exists in the data accounts that you trying to onboard.
    2. If the AWSCloudFormationStackSetExecutionRole does not exist in the data account, navigate to IAM > roles > Create Role and click on "policies and onboarding roles" on the Prerequisites page to create the role.
    3. If the AWSCloudFormationStackSetAdministrationRole already exists in the data accounts, make sure there is a role policy attached to the role.
    4. If the policy does not exist, create the policy.
      1. Click on Attach policies.
      2. Navigate to the Prerequisites data onboarding page and click policies and onboarding roles.
      3. Copy the role policy permissions and create the role policy.
    5. If a policy is attached to the role, make sure the permissions are same as listed on the "policies and onboarding roles" link on the Prerequisites page.
  3. Verify the SplunkDMReadOnly IAM role configuration in the control account and data accounts.
    1. Log into the AWS account that you are trying to onboard.
    2. Navigate to IAM > Roles and check if the AWS account has the SplunkDMReadOnly role.
    3. If the AWS account does not have the SplunkDMReadOnly role, follow the steps in the AWS documentation to create the SplunkDMReadOnly role with the correct policy and trust relationship.
    4. If the SplunkDMReadOnly role is present, check if there is a role policy attached or of there is an inline role policy .
      1. If a role policy does not exist, create a new role policy by following the steps in the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
      2. If a role policy is attached to the role, or if you have an inline role policy, make sure the role policy has the same permissions listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager.
      3. If the permissions are same as the ones listed on the Step 1. Prerequisites for Onboarding Data from a Single Account in Data Manager, make sure the trust relationship is same as well.
  4. If the configuration is correct and you are still seeing this error message, Contact Splunk Support.

Authorization errors

Authorization errors are shown while configuring the AWS prerequisites.

Cause

The Splunk software is not able to assume a role to one of your AWS accounts.

Solution

  1. Verify that the SplunkDMReadOnly IAM role has changed on the AWS account shown in the error message.
    1. Navigate to on resource: aen:aws:iam::<Your AWS Account ID>:role/SplunkDMReadOnly to find the AWS account ID .
    2. Start creating a new AWS input and check the Prerequisites instructions page. Verify that the SplunkDMReadOnly role exists and the role policy and trust relationship is correct. Cancel creating the new AWS input.
  2. If the SplunkDMReadOnly exists, and has the correct policy and trust relationship in your AWS account, something has changed on the IAM role attached to the Splunk Cloud Platform instance. Contact Splunk Support.