Select Page

Role assume to make a Grafana access from one AWS account to another

Let’s gather initial information to understand what we have.

Account A: 111111111111 with Grafana installed on EC2 instance with the role “arn:aws:iam::111111111111:role/aws-ecsInstanceAccess-role” attached to it. This role has default permissions for CloudWatch.

Account B: 2222222222 – an account where we would like to get information from CloudWatch.

By default, we have access to CloudWatch in an account where Grafana installed, but to get access to another account we should configure assume the role for Grafana.

Steps:

  1. Go to account 2222222222 and create a role arn:aws:iam::2222222222:role/grafana-monitoring-role.
  2. You should modify trust relationships and give access to account 111111111111
  3. This role should have two policies
    1. Default Grafana policy
    2. Assume policy

Default Grafana policy – this policy allows Grafana to get metrics from CloudWatch.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowReadingMetricsFromCloudWatch",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:GetMetricData"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeTags",
                "ec2:DescribeInstances",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
} 

and Assume Policy – allow this role to be assumed

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::2222222222:role/grafana-monitoring-role"
        }
    ]
}

Trust relationship policy for Role “grafana-monitoring-role” – trust relationship allow role in account 111111111111 use this role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111111111111:role/aws-ecsInstanceAccess-role"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
Ok, so, for now, you’re prepared configurations in account 2222222222. Let’s switch to the account 111111111111.
Open role “arn:aws:iam::111111111111:role/aws-ecsInstanceAccess-role” and add this policy to this role
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": [
            "arn:aws:iam::2222222222:role/grafana-monitoring-role"
        ]
    }
}

Now go to Grafana and open a data source tab
Grafana Data Source

After that, you can check your configuration via creating a dashboard in Grafana for account 2222222222.
Thanks