# Integrate CloudWatch Grafana Datasource To set up the CloudWatch datasource in Grafana, you need to configure the necessary credentials and permissions. This involves creating an IAM role in AWS with appropriate permissions to access CloudWatch metrics and data. ### Setting up an IAM role To set up an IAM role with cross-account assume for accessing CloudWatch data in Grafana, you need to follow these steps: 1. **Create an IAM Role in the target account**: In the target account, navigate to the IAM service and create a new IAM role. 2. **Define the trust relationship**: When creating the IAM role, define the trust relationship policy document to include the groundcover account as the trusted entity, along with the external ID. Here's an example trust policy document.\ **NOTE:** Choose `YOUR_EXTERNAL_ID` as a unique and secret external ID. This will be used by the integration to identify your account.\\ ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "271490644974" }, "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] } ``` 3. **Attach an inline policy**: While creating the IAM role add an inline policy with the necessary permissions for accessing CloudWatch metrics, logs, and EC2 resources.\ Here's an example of policy document:\\ ```json { "Version": "2012-10-17", "Id": "groundcover-cloudwatch-integration", "Statement": [ { "Sid": "AllowReadingMetricsFromCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:GetInsightRuleReport", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmHistory" ], "Resource": "*" }, { "Sid": "AllowReadingLogsFromCloudWatch", "Effect": "Allow", "Action": [ "logs:StopQuery", "logs:StartQuery", "logs:GetQueryResults", "logs:GetLogGroupFields", "logs:GetLogEvents", "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AllowReadingTagsInstancesRegionsFromEC2", "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" }, { "Sid": "AllowReadingResourcesForTags", "Effect": "Allow", "Action": "tag:GetResources", "Resource": "*" } ] } ``` ### Provisioning the datasource {% hint style="info" %} Self provisioning of data sources is only available as part of the enterprise plan. {% endhint %} {% hint style="info" %} The following steps require a user with admin privileges in the platform {% endhint %} In the Grafana `Data sources` page, add a new `CloudWatch` datasource. 1. Choose a `Name` for your data source. 2. Fill in the `Assume Role ARN` and `External ID` fields with the IAM role and external ID selected earlier. 3. Choose a `Default Region` based on your account's region. 4. Click `Save & Test` to create the data source. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.groundcover.com/integrations/data-sources/aws/integrate-cloudwatch-grafana-datasource.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.