LogoLogo
Log in|Playground
  • Welcome
    • Introduction
    • FAQ
  • Capabilities
    • Log Management
    • Infrastructure Monitoring
    • Application Performance Monitoring (APM)
      • Application Metrics
      • Traces
      • Supported Technologies
    • Real User Monitoring (RUM)
  • Getting Started
    • Requirements
      • Kubernetes requirements
      • Kernel requirements for eBPF sensor
      • CPU architectures
      • ClickHouse resources
    • Installation & updating
    • Connect Linux hosts
    • Connect RUM
    • 5 quick steps to get you started
    • groundcover MCP
      • Configure groundcover's MCP Server
      • Getting-started Prompts
      • Real-world Use Cases
  • Use groundcover
    • Monitors
      • Create a new Monitor
      • Issues page
      • Monitor List page
      • Silences page
      • Monitor Catalog page
      • Monitor YAML structure
      • Embedded Grafana Alerts
        • Create a Grafana alert
    • Dashboards
      • Create a dashboard
      • Embedded Grafana Dashboards
        • Create a Grafana dashboard
        • Build alerts & dashboards with Grafana Terraform provider
        • Using groundcover datasources in a Self-hosted Grafana
    • Insights
    • Explore & Monitors query builder
    • Workflows
      • Create a new Workflow
      • Workflow Examples
      • Alert Structure
    • Search & Filter
    • Saved Views
    • Issues
    • Role-Based Access Control (RBAC)
    • Remote Access & APIs
      • Service Accounts
      • API Keys
      • APIs
      • Ingestion Keys
      • Datasource API Keys
      • Grafana Service Account Token
    • groundcover Terraform Provider
    • Log Patterns
    • Drilldown
    • Scraping custom metrics
      • Operator based metrics
      • kube-state-metrics
      • cadvisor metrics
    • Backup & Restore Metrics
    • Metrics & Labels
    • Add custom environment labels
    • Configuring Pipelines
      • Writing Remap Transforms
      • Logs Pipeline Examples
      • Traces Pipeline Examples
      • Logs to Events Pipeline Examples
      • Logs/Traces Sensitive Data Obfuscation
      • Sensitive Data Obfuscation using OTTL
      • Log Filtering using OTTL
    • Querying your groundcover data
      • Query your logs
        • Example queries
        • Logs alerting
      • Query your metrics
      • Using KEDA autoscaler with groundcover
    • Fleet Manager
  • Log Parsing with OpenTelemetry Pipelines
  • Log and Trace Correlation
  • RUM
  • Customization
    • Customize deployment
      • Agents in host network mode
      • API Key Secret
      • Argo CD
      • On-premise deployment
      • Quay.io registry
      • Configuring sensor deployment coverage
      • Enabling SSL Tracing in Java Applications
    • Customize usage
      • Filtering Kubernetes entities
      • Custom data retention
      • Sensitive data obfuscation
      • Custom storage
      • Custom logs collection
      • Custom labels and annotations
        • Enrich logs and traces with pod labels & annotations
        • Enrich metrics with node labels
      • Disable tracing for specific protocols
      • Tuning resources
      • Controlling the eBPF sampling mechanism
  • Integrations
    • Overview
    • Workflow Integrations
      • Slack Webhook Integration
      • Opsgenie Integration
      • Webhook Integration
        • incident.io
      • PagerDuty Integration
      • Jira Webhook Integration
      • Send groundcover Alerts to Email via Zapier
    • Data sources
      • OpenTelemetry
        • Traces & Logs
        • Metrics
      • Istio
      • AWS
        • Ingest CloudWatch Metrics
        • Ingest CloudWatch Logs
        • Ingest Logs Stored on S3
        • Integrate CloudWatch Grafana Datasource
      • GCP
        • Ingest Google Cloud Monitoring Metrics
        • Stream Logs using Pub/Sub
        • Integrate Google Cloud Monitoring Grafana Datasource
      • Azure
        • Ingest Azure Monitor Metrics
      • DataDog
        • Traces
        • Metrics
      • FluentBit
      • Fluentd
      • JSON Logs
    • 3rd-party metrics
      • ActiveMQ
      • Aerospike
      • Cassandra
      • CloudFlare
      • Consul
      • CoreDNS
      • Etcd
      • HAProxy
      • Harbor
      • JMeter
      • K6
      • Loki
      • Nginx
      • Pi-hole
      • Postfix
      • RabbitMQ
      • Redpanda
      • SNMP
      • Solr
      • Tomcat
      • Traefik
      • Varnish
      • Vertica
      • Zabbix
    • Source control (Gitlab/Github)
  • Architecture
    • Overview
    • inCloud Managed
      • Setup inCloud Managed with AWS
        • AWS PrivateLink Setup
        • EKS add-on
      • Setup inCloud Managed with GCP
      • Setup inCloud Managed with Azure
      • High Availability
      • Disaster Recovery
      • Ingestion Endpoints
      • Deploying in Sensor-Only mode
    • Security considerations
      • Okta SSO - onboarding
    • Service endpoints inside the cluster
  • Product Updates
    • What's new?
    • Earlier updates
      • 2025
        • Mar 2025
        • Feb 2025
        • Jan 2025
      • 2024
        • Dec 2024
        • Nov 2024
        • Oct 2024
        • Sep 2024
        • Aug 2024
        • July 2024
        • May 2024
        • Apr 2024
        • Mar 2024
        • Feb 2024
        • Jan 2024
      • 2023
        • Dec 2023
        • Nov 2023
        • Oct 2023
Powered by GitBook
On this page
  • Setting up an IAM role
  • Provisioning the datasource
Export as PDF
  1. Integrations
  2. Data sources
  3. AWS

Integrate CloudWatch Grafana Datasource

To set up the CloudWatch datasource in Grafana, you need to configure the necessary credentials and permissions. This involves creating an IAM role in AWS with appropriate permissions to access CloudWatch metrics and data.

Setting up an IAM role

To set up an IAM role with cross-account assume for accessing CloudWatch data in Grafana, you need to follow these steps:

  1. Create an IAM Role in the target account: In the target account, navigate to the IAM service and create a new IAM role.

  2. Define the trust relationship: When creating the IAM role, define the trust relationship policy document to include the groundcover account as the trusted entity, along with the external ID.

    Here's an example trust policy document. NOTE: Choose YOUR_EXTERNAL_ID as a unique and secret external ID. This will be used by the integration to identify your account.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": "sts:AssumeRole",
          "Principal": {
            "AWS": "271490644974"
          },
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "YOUR_EXTERNAL_ID"
            }
          }
        }
      ]
    }

  3. Attach an inline policy: While creating the IAM role add an inline policy with the necessary permissions for accessing CloudWatch metrics, logs, and EC2 resources. Here's an example of policy document:

    {
      "Version": "2012-10-17",
      "Id": "groundcover-cloudwatch-integration",
      "Statement": [
        {
          "Sid": "AllowReadingMetricsFromCloudWatch",
          "Effect": "Allow",
          "Action": [
            "cloudwatch:ListMetrics",
            "cloudwatch:GetMetricData",
            "cloudwatch:GetInsightRuleReport",
            "cloudwatch:DescribeAlarmsForMetric",
            "cloudwatch:DescribeAlarms",
            "cloudwatch:DescribeAlarmHistory"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowReadingLogsFromCloudWatch",
          "Effect": "Allow",
          "Action": [
            "logs:StopQuery",
            "logs:StartQuery",
            "logs:GetQueryResults",
            "logs:GetLogGroupFields",
            "logs:GetLogEvents",
            "logs:DescribeLogGroups"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeTags",
            "ec2:DescribeRegions",
            "ec2:DescribeInstances"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowReadingResourcesForTags",
          "Effect": "Allow",
          "Action": "tag:GetResources",
          "Resource": "*"
        }
      ]
    }

Provisioning the datasource

Self provisioning of data sources is only available as part of the enterprise plan.

The following steps require a user with admin privileges in the platform

In the Grafana Data sources page, add a new CloudWatch datasource.

  1. Choose a Name for your data source.

  2. Fill in the Assume Role ARN and External ID fields with the IAM role and external ID selected earlier.

  3. Choose a Default Region based on your account's region.

  4. Click Save & Test to create the data source.

Last updated 5 months ago