Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

AWS Grafana Cross account via user managed IAM

0

Hi,

Im trying to set up cross account aws grafana account data sources. but any attempt to get something from a different account is failing.

My admin role used by grafana is:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "grafana.amazonaws.com",
				"AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

and my account Member role has:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When creating the cloudwatch data source in aws grafana i am:

admin -> Data sources - New

Auth Provider: Workspace IAM Role Assume Role ARN: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole Default Region: eu-west-2

I get the error below when trying to create a cloudwatch data sources in grafana:

1. CloudWatch metrics query failed: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole status code: 403, request id: 222a6d6c-bc28-4153-b5c8-ca73c6aea5c1 2. CloudWatch logs query failed: AccessDenied: User: arn:aws:sts::089449186373:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::527311303844:role/AmazonGrafanaOrgMemberRole status code: 403, request id: b67af398-6c56-43f1-af27-920af7ef54b3

Any ideas what im doing wrong?

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Gestione identità e accesso AWSAmazon Grafana
Lingua
English
AWS-User-1166501
posta 10 mesi fa528 visualizzazioni
3 Risposte
1

Looking at the error, it appears that the role "AmazonGrafanaOrgAdminRole" is failing to AssumeRole to "AmazonGrafanaOrgMemberRole".
What is the trust policy for "AmazonGrafanaOrgMemberRole"?
Also, is it ok if I don't configure the "AmazonGrafanaOrgAdminRole" resource section?
Perhaps you need to set up an ARN for "AmazonGrafanaOrgMemberRole".
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Perhaps the following policy is what you need to set in your trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
profile picture
ESPERTO
Riku_Kobayashi
con risposta 10 mesi fa
  • AWS-User-1166501
    10 mesi fa

    Hi, not sure i understand, that is in the trusted relationships of the AmazonGrafanaOrgMemberRole

  • Riku_Kobayashi ESPERTO
    10 mesi fa

    Thanks for the reply. What are the policies set for "AmazonGrafanaOrgMemberRole"? Are you sure that the following policy you shared is what is set in the trust policy?

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
0
Risposta accettata

Hi,

I think that you IAM definition for Principal arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole is incomplete. In addition to "Action": "sts:AssumeRole", you should add Resource with the ARN of your member role.

Update: that's how you should update the admin Role policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
            "Resource: "<the full ARN of the member role including the account id>"
        }
    ]
}

To see another example, go to https://nelson.cloud/aws-iam-allowing-a-role-to-assume-another-role/

Also, I'd strongly suggest you to follow precisely this blog post to set up policies properly: https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

Best, Didier

profile pictureAWS
ESPERTO
Didier_Durand
con risposta 10 mesi fa
  • AWS-User-1166501
    10 mesi fa

    Hi can you give an example not sure i understand you comment?

  • Didier_Durand ESPERTO
    10 mesi fa

    See the update of my answer also with the link to external article

0

Hi resolved.

Thanks for the link :https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

My policy for cross account that i was using org level (as i copied it from our root accounts grafana that im replacing). removing that and creating an iam policy of :

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [

        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/AmazonGrafanaOrgMemberRole"
        }
    ]
}
EOF

Where all the other accounts had the role worked!

Thanks for the help!

AWS-User-1166501
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente