403 Error When Using X-Ray Plug In (Cross Account Access)

I am using the X-RAY datasource and I’m running into a 403 error when I attempt to use the ServiceMap query type.

Here is my setup:

  1. I have an ECS/Fargate instance stood up that has deployed the v 8.5.3 of the Grafana Docker container.
  2. I have installed the v1.40 version of the X-RAY data source
  3. I have configured the data source to access X-Ray logs that are in another AWS account. I am doing this by assuming the role. This works fine EXCEPT for accessing the ServiceMap. The datasource is assuming a custom IAM role that is configured to allow the following actions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries",
        "xray:GetTraceGraph",
        "xray:GetGroups",
        "xray:GetTimeSeriesServiceStatistics",
        "xray:GetInsightSummaries",
        "xray:GetInsight",
        "ec2:DescribeRegions"
      ],
      "Resource": "*"
    }
  ]
}

Issue:
This set up works fine for the majority of X-Ray events however, when I am in the data source and attempt to query the Service Map I am getting the following error:

“AccessDeniedException: status code: 403, request id:…”

Steps to resolve:
I have used log-levels “error”, “critical”, “debug” and “info” and I see no diagnostic info being logged. I would expect to see a complete error coming back from the AWS CLI instead of the one-line error message. I’m not sure what I’m missing. Perhaps it is an additional action that needs to be added to the IAM role that isn’t documented? Again, I am accessing x-ray logs that are in another AWS account (in the same region). All of our AWS accounts have cross-account access enabled. I am doing this with our CloudWatch data source and it works fine.

Thanks for your help!

Moving to Plugin Development

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.