Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

AWS Grafana Cross account via user managed IAM

0

Hi,

Im trying to set up cross account aws grafana account data sources. but any attempt to get something from a different account is failing.

My admin role used by grafana is:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "grafana.amazonaws.com",
				"AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

and my account Member role has:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When creating the cloudwatch data source in aws grafana i am:

admin -> Data sources - New

Auth Provider: Workspace IAM Role Assume Role ARN: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole Default Region: eu-west-2

I get the error below when trying to create a cloudwatch data sources in grafana:

1. CloudWatch metrics query failed: AccessDenied: User: arn:aws:sts::xxxxx:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/AmazonGrafanaOrgMemberRole status code: 403, request id: 222a6d6c-bc28-4153-b5c8-ca73c6aea5c1 2. CloudWatch logs query failed: AccessDenied: User: arn:aws:sts::089449186373:assumed-role/AmazonGrafanaOrgAdminRole/AWSGrafana_ASSUME_ROLE_SESSION-1690202706828 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::527311303844:role/AmazonGrafanaOrgMemberRole status code: 403, request id: b67af398-6c56-43f1-af27-920af7ef54b3

Any ideas what im doing wrong?

Tópicos
Segurança, identidade e conformidadeGestão e governança
Tags
AWS Identity and Access ManagementAmazon Grafana
Idioma
English
AWS-User-1166501
feita há 10 meses528 visualizações
3 Respostas
1

Looking at the error, it appears that the role "AmazonGrafanaOrgAdminRole" is failing to AssumeRole to "AmazonGrafanaOrgMemberRole".
What is the trust policy for "AmazonGrafanaOrgMemberRole"?
Also, is it ok if I don't configure the "AmazonGrafanaOrgAdminRole" resource section?
Perhaps you need to set up an ARN for "AmazonGrafanaOrgMemberRole".
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Perhaps the following policy is what you need to set in your trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
profile picture
ESPECIALISTA
Riku_Kobayashi
respondido há 10 meses
  • AWS-User-1166501
    há 10 meses

    Hi, not sure i understand, that is in the trusted relationships of the AmazonGrafanaOrgMemberRole

  • Riku_Kobayashi ESPECIALISTA
    há 10 meses

    Thanks for the reply. What are the policies set for "AmazonGrafanaOrgMemberRole"? Are you sure that the following policy you shared is what is set in the trust policy?

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
0
Resposta aceita

Hi,

I think that you IAM definition for Principal arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole is incomplete. In addition to "Action": "sts:AssumeRole", you should add Resource with the ARN of your member role.

Update: that's how you should update the admin Role policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveManagementAccountAccessToRoleForGrafana",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:role/AmazonGrafanaOrgAdminRole"
            },
            "Action": "sts:AssumeRole"
            "Resource: "<the full ARN of the member role including the account id>"
        }
    ]
}

To see another example, go to https://nelson.cloud/aws-iam-allowing-a-role-to-assume-another-role/

Also, I'd strongly suggest you to follow precisely this blog post to set up policies properly: https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

Best, Didier

profile pictureAWS
ESPECIALISTA
Didier_Durand
respondido há 10 meses
  • AWS-User-1166501
    há 10 meses

    Hi can you give an example not sure i understand you comment?

  • Didier_Durand ESPECIALISTA
    há 10 meses

    See the update of my answer also with the link to external article

0

Hi resolved.

Thanks for the link :https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/

My policy for cross account that i was using org level (as i copied it from our root accounts grafana that im replacing). removing that and creating an iam policy of :

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [

        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/AmazonGrafanaOrgMemberRole"
        }
    ]
}
EOF

Where all the other accounts had the role worked!

Thanks for the help!

AWS-User-1166501
respondido há 10 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante