Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS Grafana Cross account via user managed IAM

0

Hi,

Im trying to set up cross account aws grafana account data sources. but any attempt to get something from a different account is failing.

My admin role used by grafana is:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "grafana.amazonaws.com",
				"AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

and my account Member role has:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When creating the cloudwatch data source in aws grafana i am:

admin -> Data sources - New

Auth Provider: Workspace IAM Role Assume Role ARN: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole Default Region: eu-west-2

I get the error below when trying to create a cloudwatch data sources in grafana:

1. CloudWatch metrics query failed: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole status code: 403, request id: 222a6d6c-bc28-4153-b5c8-ca73c6aea5c1 2. CloudWatch logs query failed: AccessDenied: User: arn:aws:sts::089449186373:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::527311303844:role/AmazonGrafanaOrgMemberRole status code: 403, request id: b67af398-6c56-43f1-af27-920af7ef54b3

Any ideas what im doing wrong?

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS Identity and Access ManagementAmazon Grafana
Sprache
English
AWS-User-1166501
gefragt vor 10 Monaten528 Aufrufe
3 Antworten
1

Looking at the error, it appears that the role "AmazonGrafanaOrgAdminRole" is failing to AssumeRole to "AmazonGrafanaOrgMemberRole".
What is the trust policy for "AmazonGrafanaOrgMemberRole"?
Also, is it ok if I don't configure the "AmazonGrafanaOrgAdminRole" resource section?
Perhaps you need to set up an ARN for "AmazonGrafanaOrgMemberRole".
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Perhaps the following policy is what you need to set in your trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 10 Monaten
  • AWS-User-1166501
    vor 10 Monaten

    Hi, not sure i understand, that is in the trusted relationships of the AmazonGrafanaOrgMemberRole

  • Riku_Kobayashi EXPERTE
    vor 10 Monaten

    Thanks for the reply. What are the policies set for "AmazonGrafanaOrgMemberRole"? Are you sure that the following policy you shared is what is set in the trust policy?

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
0
Akzeptierte Antwort

Hi,

I think that you IAM definition for Principal arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole is incomplete. In addition to "Action": "sts:AssumeRole", you should add Resource with the ARN of your member role.

Update: that's how you should update the admin Role policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
            "Resource: "<the full ARN of the member role including the account id>"
        }
    ]
}

To see another example, go to https://nelson.cloud/aws-iam-allowing-a-role-to-assume-another-role/

Also, I'd strongly suggest you to follow precisely this blog post to set up policies properly: https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

Best, Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 10 Monaten
  • AWS-User-1166501
    vor 10 Monaten

    Hi can you give an example not sure i understand you comment?

  • Didier_Durand EXPERTE
    vor 10 Monaten

    See the update of my answer also with the link to external article

0

Hi resolved.

Thanks for the link :https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

My policy for cross account that i was using org level (as i copied it from our root accounts grafana that im replacing). removing that and creating an iam policy of :

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [

        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/AmazonGrafanaOrgMemberRole"
        }
    ]
}
EOF

Where all the other accounts had the role worked!

Thanks for the help!

AWS-User-1166501
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt