AWS Cloudwatch datasource with an assumed IAM role

jangaraj · December 17, 2021, 9:24am

Grafana runs in AWS account A and you want to see CloudWatch data from AWS account B.

Run this CloudFormation template (replace <aws-account-A-id> with your AWS account A id) in AWS account B:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "AWS CloudFormation to create role for Grafana",
    "Resources": {
        "GrafanaRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "grafana-cloudwatch-role",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:sts::<aws-account-A-id>:root"
                        },
                        "Action": ["sts:AssumeRole"]
                    }]
                },
                "Policies": [{
                    "PolicyName": "GrafanaRole",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                                "Sid": "AllowReadingMetricsFromCloudWatch",
                                "Effect": "Allow",
                                "Action": [
                                    "cloudwatch:DescribeAlarmsForMetric",
                                    "cloudwatch:DescribeAlarmHistory",
                                    "cloudwatch:DescribeAlarms",
                                    "cloudwatch:ListMetrics",
                                    "cloudwatch:GetMetricStatistics",
                                    "cloudwatch:GetMetricData"
                                ],
                                "Resource": "*"
                            },
                            {
                                "Sid": "AllowReadingLogsFromCloudWatch",
                                "Effect": "Allow",
                                "Action": [
                                    "logs:DescribeLogGroups",
                                    "logs:GetLogGroupFields",
                                    "logs:StartQuery",
                                    "logs:StopQuery",
                                    "logs:GetQueryResults",
                                    "logs:GetLogEvents"
                                ],
                                "Resource": "*"
                            },
                           {
                                "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
                                "Effect": "Allow",
                                "Action": [
                                    "ec2:DescribeTags",
                                    "ec2:DescribeInstances",
                                    "ec2:DescribeRegions"
                                ],
                                "Resource": "*"
                            },
                            {
                                "Sid": "AllowReadingResourcesForTags",
                                "Effect": "Allow",
                                "Action": "tag:GetResources",
                                "Resource": "*"
                            }
                        ]
                    }
                }]
            }
        }
    }
}

Required minimal policy is documented in AWS CloudWatch | Grafana Labs

This is just example CF template and you as admin of AWS account A should be able to know what you can accept, e.g. do you really want to allow arn:aws:sts::<aws-account-A-id>:root = all resources from AWS account A to assume that role? Maybe you will want to use also External ID to prevent the confused deputy problem.

This is advance AWS IAM topic, so it really not a good case to have it in the Grafana doc. AWS Amazon Managed Grafana is provided by AWS, so it is more rational, that you can find more details about advance IAM topics directly in the vendor (AWS) doc.