Enable Application Signals on an Amazon EKS cluster with your services

To enable Application Signals for your applications on an existing Amazon EKS cluster

1. Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/.

2. In the navigation pane, choose Services.

3. If you haven't enabled Application Signals in this account yet, you must grant Application Signals the permissions it needs to discover your services. To do so, do the following. You need to do this only once for your account.

   1. Choose Start discovering your Services.

   2. Select the check box and choose Start discovering Services.

      Completing this step for the first time in your account creates the AWSServiceRoleForCloudWatchApplicationSignals service-linked role. This role grants Application Signals the following permissions:

      • xray:GetServiceGraph

      • logs:StartQuery

      • logs:GetQueryResults

      • cloudwatch:GetMetricData

      • cloudwatch:ListMetrics

      • tag:GetResources

      For more information about this role, see Service-linked role permissions for CloudWatch Application Signals.

4. Choose Enable Application Signals.

5. For Specify platform, choose EKS.

6. For Select an EKS cluster, select the cluster where you want to enable Application Signals.

7. If this cluster does not already have the Amazon CloudWatch Observability EKS add-on enabled, you are prompted to enable it. If this is the case, do the following:

   1. Choose Add CloudWatch Observability EKS add-on. The Amazon EKS console appears.

   2. Select the check box for Amazon CloudWatch Observability and choose Next.

      The CloudWatch Observability EKS add-on enables both Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS. For more information about Container Insights, see Container Insights.

   3. Select the most recent version of the add-on to install.

   4. Select an IAM role to use for the add-on. If you choose Inherit from node, attach the correct permissions to the IAM role used by your worker nodes. Replace my-worker-node-role with the IAM role used by your Kubernetes worker nodes.

      aws iam attach-role-policy \
      --role-name my-worker-node-role \
      --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
      --policy-arn arn:aws:iam::aws:policy/AWSXRayWriteOnlyAccess

   5. If you want to create a service role to use the add-on, see Install the CloudWatch agent by using the Amazon CloudWatch Observability EKS add-on or the Helm chart.

   6. Choose Next, confirm the information on the screen, and choose Create.

   7. In the next screen, choose Enable CloudWatch Application Signals to return to the CloudWatch console and finish the process.

8. There are two options for enabling your applications for Application Signals. For consistency, we recommend that you choose one option per cluster.

   • The Console option is simpler. Using this method causes your pods to immediately restart.

   • The Annotate Manifest File method gives you more control of when your pods restart, and can also help you manage your monitoring in a more decentralized way if you don’t want to centralize it.

   Console

   The Console option uses the advanced configuration of the Amazon CloudWatch Observability EKS add-on to setup Application Signals for your services. For more information about the add-on, see (Optional) Additional configuration.

   If you don’t see a list of workloads and namespaces, ensure you have the right permissions to view them for this cluster. For more information, see Required permissions.

   You can monitor single workloads or entire namespaces.

   To monitor a single workload:

   1. Select the check box by the workload that you want to monitor.

   2. Use the Select language(s) dropdown list to select the language of the workload. Select the languages that you want to enable Application Signals for, and then choose the check mark icon (✓) to save this selection.

      For Python applications, ensure your application follows the required prerequisites before continuing. For more information, see Python application doesn't start after Application Signals is enabled.

   3. Choose Done. The Amazon CloudWatch Observability EKS add-on will immediately inject Amazon Distro for OpenTelemetry autoinstrumentation (ADOT) SDKs into your pods and trigger pod restarts to enable collection of application metrics and traces.

   To monitor an entire namespace:

   1. Select the check box by the namespace that you want to monitor.

   2. Use the Select language(s) dropdown list to select the language of the namespace. Select the languages that you want to enable Application Signals for, and then choose the check mark icon (✓) to save this selection. This applies it to all workloads in this namespace, whether they are currently deployed or will be deployed in the future.

      For Python applications, ensure your application follows the required prerequisites before continuing. For more information, see Python application doesn't start after Application Signals is enabled.

   3. Choose Done. The Amazon CloudWatch Observability EKS add-on will immediately inject Amazon Distro for OpenTelemetry autoinstrumentation (ADOT) SDKs into your pods and trigger pod restarts to enable collection of application metrics and traces.

   To enable Application Signals in another Amazon EKS cluster, choose Enable Application Signals from the Services screen.

   Annotate manifest file

   In the CloudWatch console, the Monitor Services section explains that you must add an annotation to a manifest YAML in the cluster. Adding this annotation auto-instruments the application to send metrics, traces, and logs to Application Signals.

   You have two options for the annotation:

   • Annotate Workload auto-instruments a single workload in the cluster.

   • Annotate Namespace auto-instruments all workloads deployed in the selected namespace.

   Choose one of those options, and follow the appropriate steps:

   • To annotate a single workload:

     1. Choose Annotate Workload.

     2. Paste one of the following lines into the PodTemplate section of the workload manifest file.

        • For Java workloads: annotations: instrumentation.opentelemetry.io/inject-java: "true"

        • For Python workloads: annotations: instrumentation.opentelemetry.io/inject-python: "true"

          For Python applications, there are additional required configurations. For more information, see Python application doesn't start after Application Signals is enabled.

     3. In your terminal, enter kubectl apply -f your_deployment_yaml to apply the change.

   • To annotate all workloads in a namespace:

     1. Choose Annotate Namespace.

     2. Paste one of the following lines into the metadata section of the namespace manifest file. If the namespace includes both Java and Python workloads, paste both of these lines into the namespace manifest file.

        • If there are Java workloads in the namespace: annotations: instrumentation.opentelemetry.io/inject-java: "true"

        • If there are Python workloads in the namespace: annotations: instrumentation.opentelemetry.io/inject-python: "true"

          For Python applications, there are additional required configurations. For more information, see Python application doesn't start after Application Signals is enabled.

     3. In your terminal, enter kubectl apply -f your_namespace_yaml to apply the change.

     4. In your terminal, enter a command to restart all pods in the namespace. An example command to restart deployment workloads is kubectl rollout restart deployment -n namespace_name

9. Choose View Services when done. This takes you to the Application Signals Services view, where you can see the data that Application Signals is collecting. It might take a few minutes for data to appear.

   To enable Application Signals in another Amazon EKS cluster, choose Enable Application Signals from the Services screen.

   For more information about the Services view, see Monitor the operational health of your applications with Application Signals.