Can't Assume Role in Another Account


I am using AWS Managed Grafana (A), and I am trying to access CloudWatch logs in another account (B). In account B, I created a role with permissions to CloudWatch and I am using the following trust policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:sts::ACCOUNT_A_ID:root"
            "Action": [

Yet, when I test the connection, it I get the following errors:

is not authorized to perform: sts:AssumeRole on resource

Has anyone had this issue before?

I made CF for cross account access:

Thank you! I was following with this as well, but I still get the same error even when I installed the CFT.

You need to allow to assume that role. For example if you are using ec2, then instance priofile must allow to assume role.

Thank you! Yes that was the issue. I need to allow the role on the grafana instance to assume the cross-account role.