AWS Managed Grafana workspace cannot be configured with Athena workgroup

0

Dear members of the AWS community,

I have been facing an issue for the past couple of days trying to setup AWS Managed Grafana workspace with Athena workgroup.

The underlying reason why I want to do this is to visualize the cost of my AWS infrastructure in Grafana. For that, I have been following this comprehensive guide https://aws.amazon.com/blogs/mt/visualize-and-gain-insights-into-your-aws-cost-and-usage-with-amazon-managed-grafana/.

I believe the problem I’m encountering is permissions. The reason is because when I try to configure a new connection to Athena workgroup, I can see no workgroups available in any region.

However, I checked the IAM service role from Grafana, and it does have this managed AWS policy AmazonGrafanaAthenaAccess , which has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetDatabase",
                "athena:GetDataCatalog",
                "athena:GetTableMetadata",
                "athena:ListDatabases",
                "athena:ListDataCatalogs",
                "athena:ListTableMetadata",
                "athena:ListWorkGroups"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetWorkGroup",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "Null": {
                    "aws:ResourceTag/GrafanaDataSource": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:BatchGetPartition"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutBucketPublicAccessBlock"
            ],
            "Resource": [
                "arn:aws:s3:::grafana-athena-query-results-*"
            ]
        }
    ]
}

Would appreciate some shed of light in this issue.

Best

Ed

2 Answers
0
  1. Check the Athena Workgroup and Region:

Ensure that the Athena workgroup exists in the region you are working with and that you are accessing the correct region from Grafana.

  1. Verify the IAM Role:

Double-check that the IAM role associated with your Grafana workspace has the AmazonGrafanaAthenaAccess policy attached. Ensure that no deny policies or Service Control Policies (SCPs) are affecting this role’s permissions.

  1. Check S3 Permissions:

Ensure the S3 bucket permissions (grafana-athena-query-results-*) are properly configured. This bucket is where Athena stores query results, and Grafana needs access to it to retrieve the data.

  1. Test with AWS CLI:

Use the AWS CLI with the same IAM role (assume the role if necessary) to list the Athena workgroups:

aws athena list-work-groups --region <your-region>

This will help you verify if the IAM role has the necessary permissions to list the workgroups.

  1. Create a New Policy with Explicit Permissions:

If the managed policy is not working as expected, try creating a custom policy that explicitly allows access to the specific Athena workgroup and resources you are trying to use.

  1. Region-Specific Issues:

Ensure that the Athena workgroup and the Grafana workspace are both in the same region, or that you are selecting the correct region when setting up the data source in Grafana.

profile pictureAWS
EXPERT
Deeksha
answered a month ago
  • Hi Deekshitha, thank you very much for answering.

    I tried creating everything in the same region, just as you have indicated, but still the error persists. This is what I'm getting at the moment.

    There were some errors while fetching your AWS information. Take a look carefully, please. UnrecognizedClientException: The security token included in the request is invalid. status code: 400, request id: be8a8dc0-8d72-4f5e-a43b-8316205144a0

    I would like to test with AWS CLI, to assume the role and see if I can see any workgroups. But I'm not entirely sure on how to do it. If you could shed some light, that would be amazing.

    Thank you so much Best Ed

0

The issue with AWS Managed Grafana not showing Athena workgroups could be due to region mismatches, incorrect IAM role permissions, or misconfiguration in Grafana.

Ensure that Athena workgroups and Grafana are in the same region, verify that the IAM role has the right permissions, and double-check Grafana's settings.

Also, review any service limits.

profile picture
EXPERT
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions