Integrate CloudWatch Grafana Datasource

To set up the CloudWatch datasource in Grafana, you need to configure the necessary credentials and permissions. This involves creating an IAM role in AWS with appropriate permissions to access CloudWatch metrics and data.

Setting up an IAM role

To set up an IAM role with cross-account assume for accessing CloudWatch data in Grafana, you need to follow these steps:

Create an IAM Role in the target account: In the target account, navigate to the IAM service and create a new IAM role.

Define the trust relationship: When creating the IAM role, define the trust relationship policy document to include the groundcover account as the trusted entity, along with the external ID.

Here's an example trust policy document. NOTE: Choose YOUR_EXTERNAL_ID as a unique and secret external ID. This will be used by the integration to identify your account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "271490644974"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

Attach an inline policy: While creating the IAM role add an inline policy with the necessary permissions for accessing CloudWatch metrics, logs, and EC2 resources. Here's an example of policy document:

{
  "Version": "2012-10-17",
  "Id": "groundcover-cloudwatch-integration",
  "Statement": [
    {
      "Sid": "AllowReadingMetricsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetInsightRuleReport",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:DescribeAlarmHistory"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingLogsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "logs:StopQuery",
        "logs:StartQuery",
        "logs:GetQueryResults",
        "logs:GetLogGroupFields",
        "logs:GetLogEvents",
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeTags",
        "ec2:DescribeRegions",
        "ec2:DescribeInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }
  ]
}

Provisioning the datasource

Self provisioning of data sources is only available as part of the enterprise plan.

The following steps require a user with admin privileges in the platform

In the Grafana Data sources page, add a new CloudWatch datasource.

Choose a Name for your data source.
Fill in the Assume Role ARN and External ID fields with the IAM role and external ID selected earlier.
Choose a Default Region based on your account's region.
Click Save & Test to create the data source.

Last updated 5 months ago