awslabs · forestmvey · Feb 28, 2024 · Feb 23, 2024 · Feb 26, 2024
diff --git a/GETTING_STARTED.md b/GETTING_STARTED.md
@@ -43,22 +43,24 @@ This getting started guide defines the following terms:
 
 ### Create a database and table on Amazon Timestream
 
+> **NOTE:** Replace the <*region*> value with the deployment region.
+
 1. Create a database called `prometheusDatabase` by running the following command in a command-line interface:
 
    ```shell
-   aws timestream-write create-database --database-name prometheusDatabase
+   aws timestream-write create-database --database-name prometheusDatabase --region <region>
    ```
 
 2. Create a table called `prometheusMetricsTable` within `prometheusDatabase` with the following command:
 
    ```shell
-   aws timestream-write create-table --database-name prometheusDatabase --table-name prometheusMetricsTable
+   aws timestream-write create-table --database-name prometheusDatabase --table-name prometheusMetricsTable --region <region>
    ```
 
 3. Run the following `describe-table` command to ensure that the database and table creation succeeded:
 
    ```shell
-   aws timestream-write describe-table --database-name prometheusDatabase --table-name prometheusMetricsTable
+   aws timestream-write describe-table --database-name prometheusDatabase --table-name prometheusMetricsTable --region <region>
    ```
 
 ## Configure Prometheus Connector
@@ -174,6 +176,8 @@ It is recommended to enable TLS encryption between Prometheus and the Prometheus
 
 4. Add the following configuration to the end of `prometheus.yml`:
 
+> **NOTE:** All configuration options are *case-sensitive*, and *session_token* authentication parameter is not supported for MFA authenticated AWS users.
+
    ```
    remote_write:
      - url: "http://localhost:9201/write"
@@ -217,6 +221,8 @@ It is recommended to secure the Prometheus requests with TLS encryption. This ca
 
 Here is an example of `remote_write` and `remote_read` configuration with TLS, where `RootCA.pem` is within the same directory as the Prometheus configuration file:
 
+> **NOTE:** All configuration options are *case-sensitive*, and *session_token* authentication parameter is not supported for MFA authenticated AWS users.
+
 ```yaml
 remote_write:
   - url: "https://localhost:9201/write"

diff --git a/README.md b/README.md
@@ -61,6 +61,8 @@ To configure Prometheus to read and write to remote storage, configure the `remo
 
 2. Configure the basic authentication header for Prometheus read and write requests with valid IAM credentials.
 
+> **NOTE:** All configuration options are *case-sensitive*, and *session_token* authentication parameter is not supported for MFA authenticated AWS users.
+
     ```yaml
     basic_auth:
       username: accessKey
@@ -72,15 +74,19 @@ To configure Prometheus to read and write to remote storage, configure the `remo
     ```yaml
     basic_auth:
       username: accessKey
-      password_file: credentials/secretAccessKey.txt
+      password_file: /Users/user/Desktop/credentials/secretAccessKey.txt
     ```
 
-    >  **NOTE**: As a security best practice, it is recommended to regularly [rotate IAM user access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey).
+The *password_file* path must be the absolute path for the file, and the password file must contain only the value for the *aws_secret_access_key*.
+
+>  **NOTE**: As a security best practice, it is recommended to regularly [rotate IAM user access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey).
 
 3. It is recommended to secure the Prometheus requests with TLS encryption. This can be achieved by specifying the certificate authority file in the `tls_config` section for Prometheus' remote read and remote write configuration. To generate self-signed certificates during development see the [Creating Self-signed TLS Certificates](#creating-self-signed-tls-certificates) section.
 
     Here is an example of `remote_write` and `remote_read` configuration with TLS, where `RootCA.pem` is within the same directory as the Prometheus configuration file:
 
+> **NOTE:** All configuration options are *case-sensitive*, and *session_token* authentication parameter is not supported for MFA authenticated AWS users.
+
     ```yaml
     remote_write:
       - url: "https://localhost:9201/write"

diff --git a/serverless/DEVELOPER_README.md b/serverless/DEVELOPER_README.md
@@ -145,8 +145,6 @@ To view the full set of `sam deploy` options see the [sam deploy documentation](
 
 ## Configuration
 
-> **NOTE:** All configuration options are *case-sensitive*.
-
 ### Configure Prometheus
 
 To let the Lambda function know which database/table destination is for a Prometheus time series,
@@ -155,11 +153,9 @@ two additional labels need to be added in every Prometheus time series through [
 
 2. Replace the `InvokeWriteURL` and `InvokeReadURL` with the API Gateway URLs from deployment, and provide the appropriate IAM credentials in `basic_auth` before adding the following sections to the configuration file:
 
-```yaml
-global:
-  scrape_interval:    60s
-  evaluation_interval: 60s
+> **NOTE:** All configuration options are *case-sensitive*, and *session_token* authentication parameter is not supported for MFA authenticated AWS users.
 
+```yaml
 scrape_configs:
   - job_name: 'prometheus'
     scrape_interval:    15s
@@ -188,6 +184,13 @@ remote_read:
       password_file: passwordFile
 ```
 
+The *password_file* path must be the absolute path for the file, and the password file must contain only the value for the *aws_secret_access_key*.
+
+The *url* values for *remote_read* and *remote_write* will be outputs from the cloudformation deployment. See the following exmaple for a remote write url:
+```
+url: "https://foo9l30.execute-api.us-east-1.amazonaws.com/dev/write"
+```
+
 ### Start Prometheus
 
 1. Ensure the user invoking the AWS Lambda function has read and write permissions to Amazon Timestream. For more details see [Execution Permissions](#execution-permissions).
@@ -236,6 +239,8 @@ The user **deploying** this project **must** have the following permissions list
 [iam](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html#awsidentityandaccessmanagementiam-actions-as-permissions)
 
 
+> **NOTE** - This policy is too long to be added inline during user creation, and must be created as a policy and attached to the user instead.
+
 ```json
 {
 	"Version": "2012-10-17",