AWS Cloudwatch using ARN in Grafana inside Kubernetes with uswitch/kiam

petrukngantuk · December 16, 2019, 6:21am

Hello there, I deployed Grafana inside our k8s cluster with kind statefulset ,
here I need to add cloudwatch plugins using ARN as Auth Provider, using https://github.com/uswitch/kiam to communicate all our service with AWS IAM,

I already deep dive in Grafana AWS Cloudwatch Official Docs and https://github.com/uswitch/kiam/blob/master/docs/IAM.md,
and searching in grafana community here,
but no luck,

I already attached this to Trust Relationship in my grafana role too :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/kiam-server"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

any one can help me to accomplished this?

noticable log :
in kiam-server

{"credentials.access.key":"XXXXXXXXXXXXXXX","credentials.expiration":"2019-12-16T06:24:19Z","credentials.role":"arn:aws:iam::XXXXXXXXXXXXXXX:role/grafana-dev-iam-role","generation.metadata":0,"level":"info","msg":"fetched credentials","pod.iam.role":"arn:aws:iam::XXXXXXXXXXXXXXX:role/grafana-dev-iam-role","pod.name":"grafana-0","pod.namespace":"istio-system","pod.status.ip":"","pod.status.phase":"Pending","resource.version":"45664633","time":"2019-12-16T06:06:05Z"}

in grafana pods :

t=2019-12-16T06:15:47+0000 lvl=eror msg="Metric request error" logger=context userId=1 orgId=1 uname=admin error="Failed to call ec2:getAwsConfig, AccessDenied: User: arn:aws:sts::XXXXXXXXXXXXXXX:assumed-role/grafana-dev-iam-role/kiam-kiam is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXXXXX:role/grafana-dev-iam-role\n\tstatus code: 403, request id: 7ff33a3a-1fcb-11ea-b0f2-d3fa2c1d9a6b"

#aws #kiam

jangaraj · December 16, 2019, 6:45am

It it not clear how did you configure all roles and why you need all of them: role/grafana-justice-dev-iam-role, role/grafana-dev-iam-role.

rusakovrom · March 15, 2020, 7:44am

Had the same issue and I’m still investigating, maybe it is related to this open issue - https://github.com/grafana/grafana/issues/20473

However I have found a strage fix - you need to change credentials type from “arn” to “credentials” (Credentials file) leaving the path to the file empty (default)
After that change - everything works as expected.

Hope that helps,
Roman

trallnag · September 4, 2020, 9:21am

Wow thank you so much for the hint! I will propose this to be added to the Grafana docs

rusakovrom · September 4, 2020, 10:51am

Hi! Actually this fix is not required anymore, linked github issue is solved and all works as expected with assumeRoleArn and authtype: arn in grafana 7.1.1+

Topic		Replies	Views
Cloudwatch Data Source error using Role ARN Grafana	4	8574	July 2, 2019
AWS Cloudwatch datasource with an assumed IAM role Cloudwatch cloudwatch , aws	5	7374	September 5, 2022
Cloudwatch integration data source Configuration cloudwatch , plugins	2	505	July 26, 2022
Grafana Alloy + IAM role Authentication auth , helm	2	135	May 22, 2024
CloudWatch Integration Configuration	1	536	November 30, 2021

AWS Cloudwatch using ARN in Grafana inside Kubernetes with uswitch/kiam

Related topics