I’m trying to configure access to a CloudWatch datasource from an on-premise (and off AWS network) Grafana instance.
I’ve been reading the documentation on authentication to AWS, but what I am not clear on is how you configure access without baking in an IAM User access key and secret key or having to put those details directly into a credentials file. Ideally I don’t want to create an IAM user and keep access/secret keys locally on the Grafana server.
I thought there was another way to gain access to the CW datasource which avoided the situation above, and that was in creating an IAM Role and populating the ‘Assume Role ARN’ field with those details.
But I’ve struggled to see how you create a role in IAM which gives access to CloudWatch Metrics (ie from what service are you requesting access). I have a suitable policy in place to grant read access over the CW api calls, but cannot determine what this should be attached to. I’d be grateful to any pointers here and also to the question on how to use the AWS SDK Default provider without using IAM User credentials.