AWS CodeGuru profiler under different account

Question

We are trying to build a centralised CodeGuru profiler dashboard as described by the documentation at https://aws.amazon.com/blogs/devops/building-a-centralized-codeguru-profiler-dashboard-multi-account/.

So in effect, we have our CodeGuru profiling group under a central aws-code-analysis account and the actual application running under aws-application account. We are facing an issue with the cross-account connectivity. It appears the agent running under the aws-application account is trying to look for the profiling group under the local aws-application account instead of connecting to the central aws-code-analysis account.

Both the command line invocation of the agent (as documented here) as well as integration by code (as documented here) accept only the profiling-group-name as input and not the full ARN or account-id, profiling-group-name combination. So I'm not sure how the agent would determine which account to connect to? I couldn't find a way of explicitly specifying account-id to use anywhere.

Appreciate any pointers.

Answer 1

You should be able to pass in the role from your centralised account using awsCredentialsProvider, e.g. "arn:aws:iam::<CODEGURU_CENTRAL_ACCOUNT_ID>:role/CodeGuruCrossAccountRole". This will configure the agent to send profiling data to this account.

I would also check that the region is set to the region of the profiling group in the centralised account. So it should look something like this:

static String roleArn = "arn:aws:iam::<v>:role/CodeGuruCrossAccountRole";
static String sessionName = "codeguru-java-session";


Profiler.builder()
  .profilingGroupName("JavaAppProfilingGroup")
  .awsCredentialsProvider(AwsCredsProvider.getCredentials(
                                        roleArn,
                                        sessionName))
  .region(<CODEGURU_CENTRAL_ACCOUNT_REGION>)
  .withHeapSummary(true)
  .build()
  .start();