How do I connect my Amazon Managed Grafana dashboard to OpenSearch Serverless?

Resolution

To connect your Amazon Managed Grafana workspace to OpenSearch Serverless, create an AWS Identity and Access Management (IAM) role. The IAM role must have full OpenSearch Serverless permissions. Then, attach the IAM role to your Amazon Managed Grafana workspace.

Create an IAM role and grant permissions

Complete the following steps:

1. Open the IAM console.

2. In the navigation pane, choose Roles, and then choose Create role.

3. For Trusted entity type, choose Custom trust policy.

4. Name the IAM role grafana-role.

5. Enter the following trust relationship into the trust policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "grafana.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }

6. Create the following permissions policy that's named Grafana-OpenSearch-Serverless-Access:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": "aoss:*",
         "Resource": "OpenSearch resource ARN"
       }
     ]
   }

   Note: Replace OpenSearch resource ARN with your OpenSearch resource's ARN. The preceding example permissions policy is based on the Amazon Managed Grafana integration with the OpenSearch Serverless non-virtual private cloud (VPC) based collection. The policy also has full permissions. To restrict permissions, specify only the necessary resources. 

Configure Amazon Managed Grafana

Complete the following steps:

1. Open the Amazon Managed Grafana console.
2. Choose Create workspace, and then name the workspace. 
   Note: Make sure that you select the most recent version of Grafana.
3. Choose Authentication access, and then choose AWS IAM Identity Center.
4. Choose IAM permission access settings.
5. Choose Customer Managed, and then select the grafana-role IAM role.
6. Choose Workspace configuration options, and then choose Turn plugin management on.
7. Choose Network access control, and then choose Public.
8. Review the settings, and then choose Create workspace.

Assign a Grafana workspace to users

Complete the following steps:

1. Open the Amazon Managed Grafana console.
2. Choose Authentication, and then choose AWS IAM Identity Center.
3. Choose Assign new user or group.

Grant admin access

Complete the following steps:

1. Open the Amazon Managed Grafana console.
2. Choose Configure users and user groups.
3. Select the user, and then under Actions, choose Make admin.

Configure OpenSearch Serverless

Complete the following steps:

1. Open the Amazon Managed Grafana console.
2. In the navigation pane, choose All workspaces, and then select your workspace.
3. Under Apps, for Data Sources, choose AWS Services.
4. Choose Amazon OpenSearch, and then choose Install now.
5. In the pop-up window, choose Install.
6. Choose Add new data source.
7. Under Connections, choose Data sources, and then choose grafana-OpenSearch-datasource.
8. For Settings, enter the following details for the OpenSearch Serverless collection:
   Under HTTP, enter the OpenSearch Serverless endpoint.
   Under Access, choose Default.
   Under Auth, turn on SigV4 auth.
   Select the AWS Region where you deploy your OpenSearch collection.
   Under Authentication provider, choose Workspace IAM role.
   Note: You don't need to include the role in the Assume role ARN section.
   Under OpenSearch details, enter the index name.
9. Review the details and then choose Save and test.
   Note: The Index OK message appears. The green checkmark shows that the data source is successfully added.

You can now access the Grafana console and use the dashboard to view the data.