- Newest
- Most votes
- Most comments
Looking at the error, it appears that the role "AmazonGrafanaOrgAdminRole" is failing to AssumeRole to "AmazonGrafanaOrgMemberRole".
What is the trust policy for "AmazonGrafanaOrgMemberRole"?
Also, is it ok if I don't configure the "AmazonGrafanaOrgAdminRole" resource section?
Perhaps you need to set up an ARN for "AmazonGrafanaOrgMemberRole".
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Perhaps the following policy is what you need to set in your trust policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GiveManagementAccountAccessToRoleForGrafana",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
},
"Action": "sts:AssumeRole"
}
]
}
Hi,
I think that you IAM definition for Principal arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole
is incomplete. In addition to
"Action": "sts:AssumeRole"
, you should add Resource with the ARN of your member role.
Update: that's how you should update the admin Role policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GiveManagementAccountAccessToRoleForGrafana",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
},
"Action": "sts:AssumeRole"
"Resource: "<the full ARN of the member role including the account id>"
}
]
}
To see another example, go to https://nelson.cloud/aws-iam-allowing-a-role-to-assume-another-role/
Also, I'd strongly suggest you to follow precisely this blog post to set up policies properly: https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/
Best, Didier
Hi can you give an example not sure i understand you comment?
See the update of my answer also with the link to external article
Hi resolved.
Thanks for the link :https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/
My policy for cross account that i was using org level (as i copied it from our root accounts grafana that im replacing). removing that and creating an iam policy of :
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/AmazonGrafanaOrgMemberRole"
}
]
}
EOF
Where all the other accounts had the role worked!
Thanks for the help!
Relevant content
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
Hi, not sure i understand, that is in the trusted relationships of the AmazonGrafanaOrgMemberRole
Thanks for the reply. What are the policies set for "AmazonGrafanaOrgMemberRole"? Are you sure that the following policy you shared is what is set in the trust policy?