Can't Assume Role in Another Account

mortiz2 · August 29, 2023, 3:53pm

Hello,

I am using AWS Managed Grafana (A), and I am trying to access CloudWatch logs in another account (B). In account B, I created a role with permissions to CloudWatch and I am using the following trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:sts::ACCOUNT_A_ID:root"
            },
            "Action": [
                "sts:AssumeRole"
            ]
        }
    ]
}

Yet, when I test the connection, it I get the following errors:

is not authorized to perform: sts:AssumeRole on resource

Has anyone had this issue before?

jangaraj · August 29, 2023, 3:57pm

I made CF for cross account access:

mortiz2 · August 29, 2023, 4:29pm

Thank you! I was following with this as well, but I still get the same error even when I installed the CFT.

jangaraj · August 29, 2023, 5:49pm

You need to allow to assume that role. For example if you are using ec2, then instance priofile must allow to assume role.

mortiz2 · August 29, 2023, 8:45pm

Thank you! Yes that was the issue. I need to allow the role on the grafana instance to assume the cross-account role.

Thanks!

Topic		Replies	Views
AWS Cloudwatch datasource with an assumed IAM role Cloudwatch cloudwatch , aws	5	7374	September 5, 2022
Enable cross-AWS-account-Cloudwatch-access for Grafana running in ECS (Fargate) utilizing only roles, but no user account on the target Cloudwatch	4	2259	May 25, 2023
Setup cloud watch integration with Grafana Cloudwatch	1	415	October 20, 2022
CloudWatch Integration Configuration	1	536	November 30, 2021
Cloudwatch integration data source Configuration cloudwatch , plugins	2	505	July 26, 2022

Can't Assume Role in Another Account

Related topics