How to connect AWS ElasticSearch VPC datasource with Grafana

flurbb · May 3, 2019, 10:37pm

I have an AWS ElasticSearch Service Domain running in a VPC that I’m trying to connect to from Grafana which is running as an ECS Task in an ECS Cluster within the same VPC. I’ve given the ECS Task a Task IAM Role which has the AmazonESFullAccess IAM role attached to it and I’ve set the access policy on my ElasticSearch to

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<TaskRoleArn>"
      },
      "Action": "es:*",
      "Resource": "<AWSElasticSearchDomainARN>/*"
    }
  ]
}

When I try to add the ElasticSearch endpoint as a data source in Grafana I receive a 403 error and the response says

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

which leads me to believe Grafana isn’t assuming the IAM Role when making the request for some reason.

Is there some way to make Grafana assume an IAM Role when communicating with an AWS ElasticSearch Service Domain, or another way to connect it as a datasource?

jangaraj · May 5, 2019, 9:26am

Workaround: AWS API GW -> AWS Lambda function which will proxy request to AWS ES. You might need to implement authentication, e.g. Basic Auth, which is supported in Grafana and it can be implemented as additional AWS Authorizer Lambda function.

You might want to play with API Gateway Private Endpoints, if you won’t expose your ES to the internet.