PromQL
Give your Firetiger agents direct access to any Prometheus-compatible metrics API. When investigating issues, agents can query real-time and historical metrics — CPU usage, error rates, latency percentiles, saturation signals — and correlate them with logs and traces.
Works with Prometheus, Thanos, Victoria Metrics, Cortex, Grafana Mimir, and Amazon Managed Prometheus (AMP).
Setup
- In the Firetiger UI, go to Settings → Connections and click New Connection
- Select PromQL as the connection type
- Enter a display name and the Base URL of your Prometheus-compatible API (e.g.,
https://prometheus.example.com) - Choose an authentication method and provide credentials (see Authentication below)
- Save the connection — your agents can now query metrics through it
What Agents Can Do
| Capability | Description |
|---|---|
| Instant query | Evaluate a PromQL expression at a single point in time |
| Range query | Evaluate a PromQL expression over a time range, returning a time series |
| List labels | Browse all label names present in the metrics store |
| Label values | Get all values for a specific label name |
| Find series | Discover time series matching a set of label matchers |
| Metric metadata | Look up the type, help text, and unit for a metric |
You don’t need to know PromQL — just ask questions in natural language and the agent constructs the right queries.
Authentication
| Method | When to use |
|---|---|
| None | Public or unauthenticated endpoints |
| Basic Auth | Username and password (e.g., Grafana Cloud, self-hosted Prometheus with basic auth) |
| Bearer Token | API key or token (e.g., Grafana Cloud API key, custom auth middleware) |
| AWS SigV4 | Amazon Managed Prometheus (AMP) — signs requests with AWS credentials |
AWS SigV4 (Amazon Managed Prometheus)
Set the Region to the AWS region of your AMP workspace (e.g., us-east-1). Then choose a credential source:
- IAM Role — provide a role ARN (e.g.,
arn:aws:iam::123456789012:role/firetiger-amp-access) for Firetiger to assume. Add an optional external ID to prevent confused deputy attacks. - Static Credentials — provide an Access Key ID and Secret Access Key directly.
IAM role assumption is recommended for production use as credentials rotate automatically.
Setting up an IAM role for AMP access
Step 1 — Create the role in your AWS account
Create an IAM role with the following trust policy. This allows Firetiger’s AWS account to assume the role using STS. The sts:ExternalId condition is optional but strongly recommended — it prevents the confused deputy problem by ensuring only Firetiger can use this role for your specific connection. Copy the External ID from the connection form in the Firetiger UI before creating the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::975050257559:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "{external-id-from-firetiger}"
}
}
}
]
}
Step 2 — Attach a permissions policy
Attach the following inline or managed policy to the role. Replace {region}, {account-id}, and {workspace-id} with your AMP workspace details. Scoping the resource to a specific workspace follows least-privilege — use * only if you need to grant access to all workspaces in the account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aps:QueryMetrics",
"aps:GetLabels",
"aps:GetSeries",
"aps:GetMetricMetadata"
],
"Resource": "arn:aws:aps:{region}:{account-id}:workspace/{workspace-id}"
}
]
}
These four actions map directly to the agent capabilities listed above: instant/range queries, label listing, series discovery, and metric metadata lookup.
Step 3 — Enter the role ARN in Firetiger
Copy the role ARN (e.g., arn:aws:iam::123456789012:role/firetiger-amp-access) and paste it into the Role ARN field in the Firetiger connection form. If you added an External ID condition in Step 1, enter the same value in the External ID field.
Troubleshooting
Connection refused or unreachable — Confirm the Base URL is reachable from Firetiger’s network. If your Prometheus is on a private network, you may need to configure a network transport.
Authentication errors — Double-check credentials. For Bearer tokens, make sure the token value does not include a Bearer prefix. For AWS SigV4, confirm the IAM role or access key has aps:QueryMetrics, aps:GetLabels, aps:GetSeries, and aps:GetMetricMetadata permissions on the AMP workspace, and that the trust policy principal is set to Firetiger’s AWS account (arn:aws:iam::975050257559:root).
Empty results — Confirm the time range includes data. Some exporters have scrape delays of 15–60 seconds. Try a broader range or use an instant query against a known metric like up.