I have an application that is distributed over two AWS accounts. One part of the application ingest data from one account into the other account.

The producer part is realised as python lambda microservices. The consumer part is a spring-boot app in elastic beanstalk and additional python lambdas that further distribute data to external systems after they have processed by the spring-boot app in EBeanstalk.

I don't have an explicit X-Ray daemon running anywhere.

I am wondering if it is possible to send the x-ray traces of the one account to the account so i can monitor my application in one place.

I could not find any hints in the documentation regarding cross account usage. Is this even doable ?

If you running X-Ray daemon, you can provide RoleARN to the daemon, so it assumes the role and sends data it receives from X-Ray SDK from Account 1 to Account 2.

However if you have enabled X-Ray on API Gateway or AWS Lambda, segments generated by these services are sent to the account they run in and its not possible to send data cross account for these services.

Please let me know if you have questions. If yes, include the architecture flow and solution stack you are using to better guide you.

Thanks, Yogi

It is possible but you'd have to run your own xray-daemon as a service.

By default, lambda uses its own xray daemon process to send traces to the account it is running in. However, the X-Ray SDK supports environment variables which can be used to use a custom xray daemon process instead. These environment variables are applicable even if the microservice is running inside a lambda function.

Since your lambda is written in python, you can refer to this AWS Doc which talks about an environment variable. You can set the value to the address of the custom xray daemon service.

 AWS_XRAY_DAEMON_ADDRESS = x.x.x.x:2000

Let's say you want to send traces from Account 1 to Account 2. You can do that by configuring your daemon to assume a role. This role must be present in the Account 2 (where you want to send your traces). Then use this role's ARN by passing in the options while running your XRay daemon service in Account 1 (from where you want the traces to be sent). The options to use are mentioned in this AWS Doc here.

--role-arn, arn:aws:iam::123456789012:role/xray-cross-account

Make sure you attach permissions in Account 1 as well to send traces to Account 2.

This is now possible with this recent launch: https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-cloudwatch-cross-account-observability-multiple-aws-accounts/.

You can link accounts to another account to share traces, metrics, and logs.