Analyzing OpenAI Codex Usage with CloudWatch and OpenTelemetry
This guide takes approximately 15 minutes for a single developer. Everything described here was validated against Codex CLI 0.139.0. Codex's telemetry is evolving quickly — metric names and configuration keys may differ in other versions, so verify against your installed version (see Verify metrics are flowing).
Bearer token authentication
Bearer tokens (CloudWatch metrics API keys) allow tools running outside AWS (like Codex on developer laptops) to send metrics to CloudWatch without requiring the AWS SDK or IAM credential chains. Each token is tied to an AWS IAM user scoped exclusively to the CloudWatchAPIKeyAccess managed policy.
Bearer tokens are long-term credentials. This recipe uses them because AI coding agents run on developer laptops outside of AWS, where SigV4 with short-term credentials would require a central collector or a per-machine collector process. For workloads running inside AWS where SigV4 with short-term credentials is feasible, prefer that approach for a stronger security posture. The CloudWatch OTLP endpoint requires HTTPS; requests over plain HTTP are rejected. For more information, see CloudWatch OTLP Metrics Bearer Token Auth.
Solution overview
The setup has three components:
- A CloudWatch metrics API key — a bearer token tied to a narrowly-scoped IAM user. Created once per developer (or shared per team).
- Codex configuration —
~/.codex/config.tomland a couple of environment variables that tell Codex's OpenTelemetry SDK where to send metrics and how to attribute them. - A pre-built dashboard — a CloudWatch dashboard (and a Grafana equivalent) that visualizes token usage, API and tool activity, and team-level usage with PromQL queries.