By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS Grafana Cross account via user managed IAM

0

Hi,

Im trying to set up cross account aws grafana account data sources. but any attempt to get something from a different account is failing.

My admin role used by grafana is:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "grafana.amazonaws.com",
				"AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

and my account Member role has:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When creating the cloudwatch data source in aws grafana i am:

admin -> Data sources - New

Auth Provider: Workspace IAM Role Assume Role ARN: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole Default Region: eu-west-2

I get the error below when trying to create a cloudwatch data sources in grafana:

1. CloudWatch metrics query failed: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole status code: 403, request id: 222a6d6c-bc28-4153-b5c8-ca73c6aea5c1 2. CloudWatch logs query failed: AccessDenied: User: arn:aws:sts::089449186373:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::527311303844:role/AmazonGrafanaOrgMemberRole status code: 403, request id: b67af398-6c56-43f1-af27-920af7ef54b3

Any ideas what im doing wrong?

3 Answers
1

Looking at the error, it appears that the role "AmazonGrafanaOrgAdminRole" is failing to AssumeRole to "AmazonGrafanaOrgMemberRole".
What is the trust policy for "AmazonGrafanaOrgMemberRole"?
Also, is it ok if I don't configure the "AmazonGrafanaOrgAdminRole" resource section?
Perhaps you need to set up an ARN for "AmazonGrafanaOrgMemberRole".
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Perhaps the following policy is what you need to set in your trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
profile picture
EXPERT
answered a year ago
  • Hi, not sure i understand, that is in the trusted relationships of the AmazonGrafanaOrgMemberRole

  • Thanks for the reply. What are the policies set for "AmazonGrafanaOrgMemberRole"? Are you sure that the following policy you shared is what is set in the trust policy?

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "GiveManagementAccountAccessToRoleForGrafana",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
    
0
Accepted Answer

Hi,

I think that you IAM definition for Principal arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole is incomplete. In addition to "Action": "sts:AssumeRole", you should add Resource with the ARN of your member role.

Update: that's how you should update the admin Role policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
            "Resource: "<the full ARN of the member role including the account id>"
        }
    ]
}

To see another example, go to https://nelson.cloud/aws-iam-allowing-a-role-to-assume-another-role/

Also, I'd strongly suggest you to follow precisely this blog post to set up policies properly: https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

Best, Didier

profile pictureAWS
EXPERT
answered a year ago
  • Hi can you give an example not sure i understand you comment?

  • See the update of my answer also with the link to external article

0

Hi resolved.

Thanks for the link :https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

My policy for cross account that i was using org level (as i copied it from our root accounts grafana that im replacing). removing that and creating an iam policy of :

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [

        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/AmazonGrafanaOrgMemberRole"
        }
    ]
}
EOF

Where all the other accounts had the role worked!

Thanks for the help!

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions