403 Error When Using X-Ray Plug In (Cross Account Access)

I am using the X-RAY datasource and I’m running into a 403 error when I attempt to use the ServiceMap query type.

Here is my setup:

  1. I have an ECS/Fargate instance stood up that has deployed the v 8.5.3 of the Grafana Docker container.
  2. I have installed the v1.40 version of the X-RAY data source
  3. I have configured the data source to access X-Ray logs that are in another AWS account. I am doing this by assuming the role. This works fine EXCEPT for accessing the ServiceMap. The datasource is assuming a custom IAM role that is configured to allow the following actions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries",
        "xray:GetTraceGraph",
        "xray:GetGroups",
        "xray:GetTimeSeriesServiceStatistics",
        "xray:GetInsightSummaries",
        "xray:GetInsight",
        "ec2:DescribeRegions"
      ],
      "Resource": "*"
    }
  ]
}

Issue:
This set up works fine for the majority of X-Ray events however, when I am in the data source and attempt to query the Service Map I am getting the following error:

“AccessDeniedException: status code: 403, request id:…”

Steps to resolve:
I have used log-levels “error”, “critical”, “debug” and “info” and I see no diagnostic info being logged. I would expect to see a complete error coming back from the AWS CLI instead of the one-line error message. I’m not sure what I’m missing. Perhaps it is an additional action that needs to be added to the IAM role that isn’t documented? Again, I am accessing x-ray logs that are in another AWS account (in the same region). All of our AWS accounts have cross-account access enabled. I am doing this with our CloudWatch data source and it works fine.

Thanks for your help!

Moving to Plugin Development