AWS Cloudwatch datasource with an assumed IAM role

Hi,

I have successfully configured Grafrana to access EC2 metrics using the following IAM role policy on the EC2 instance:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “AllowReadingCloudwatchMetrics”,
“Effect”: “Allow”,
“Action”: [
“cloudwatch:PutMetricData”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:GetMetricData”,
“cloudwatch:ListMetrics”
],
“Resource”: “"
},
{
“Sid”: “AllowReadingTagsFromEC2”,
“Effect”: “Allow”,
“Action”: [
“ec2:DescribeTags”,
“ec2:DescribeInstances”
],
“Resource”: "

}
]
}

This was working in our dev AWS account.

I tried then to allow Grafana to access the EC2 data in our prod AWS account by creating the same role policy as above in the prod account, and then allow the EC2 instance in the dev account to assume the role with this policy:

“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “AssumeDashboardRole”,
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: [
“arn:aws:iam:::role/dashboard”
]
}
]

This does not work. I noticed this https://github.com/grafana/grafana/issues/3522 which mentions manually calling STS.assumeRole and then adding the credentials to grafana configuration. Since the post is quite old and I didn’t need to add the credentials when using a single AWS account, I wondered if this was still necessary?

Thanks,
Andy.

Just noticed in the config there is a field for assumed role. Doh!