Hi,
I have a grafana cloud account (Free version), I’m trying to get AWS cloudwatch connected to this grafana account.
I’m trying using the cloudwatch datasource and create an assume role in my AWS account. But I’m getting an error. Below are the details,
Below is my AWS account role policy,
{
"Version": "2012-10-17",
"Id": "groundcover-cloudwatch-integration",
"Statement": [
{
"Sid": "AllowReadingMetricsFromCloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetInsightRuleReport",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmHistory"
],
"Resource": "*"
},
{
"Sid": "AllowReadingLogsFromCloudWatch",
"Effect": "Allow",
"Action": [
"logs:StopQuery",
"logs:StartQuery",
"logs:GetQueryResults",
"logs:GetLogGroupFields",
"logs:GetLogEvents",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "AllowReadingTagsInstancesRegionsFromEC2",
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DescribeRegions",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Sid": "AllowReadingResourcesForTags",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
}
]
}
Below is the trust relationship of the role(account ID of grafana hosted account and external ID is given),
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXXX"
}
}
}
]
}
Then I fills out the cloudwatch datasource as below in grafana(only fills the marked fields),
Also I only have below option in the drop down,
When I save this I will get the below error,
I’m not sure what I’m doing wrong here, I will get the same error even if I give the administrator access to this role.
Your help will be appreciated 
