I need the ability to restrict the metrics and specific insights queries that my users can execute against an AWS Account.
I cannot use the security features of Grafana regarding dashboard configuration, as the API for Grafana allows the user to submit any query for a datasource they have access to, ie it is not restricted to those metric queries / insights queries configured by the administrator when setting up the dashboard.
So to get around this, I want to have an AWS HTTP Gateway, that is protected by IAM. The user configured in IAM only has API execute rights on my gateway, ie no rights to query cloudwatch directly and the lambda behind the gateway will inspect the request and only forward onto CloudWatch / Insights if it matches allowed values.
However, when I attempt to configure a CloudWatch datasource in Grafana, it generates the AWS signature v4 with the incorrect context.
It is sending the following authorization header
AWS4-HMAC-SHA256 Credential=AKIA2VRBQA32STVA5AVQ/20210331/ap-southeast-2/monitoring/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=51c119a7146bb99b05909d6b21d3fe21336c85bbb03b9dc77d7033e8fa9c34ec
But it needs to be
AWS4-HMAC-SHA256 Credential=AKIA2VRBQA32STVA5AVQ/20210331/ap-southeast-2/execute-api/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=51c119a7146bb99b05909d6b21d3fe21336c85bbb03b9dc77d7033e8fa9c34ec
Is this something that could be made configurable in Grafana?