How to access resources in a multi account setup for a Managed Grafana Workspace

0

Dear members of the community,

I'm trying to setup a multi account dashboard solution using AWS Managed Grafana with AWS Organizations.

I need to setup a dashboard in Account A, which is supposed to have access to a Timestream database in Account B. I created the managed Grafana workspace with the Service managed permissions. Furthermore, I enabled organizational unit, and passed the ID of the OU from Account B.

However, whenever I try to configure the connection to the Timestream database, I get an error that an error occurred within the plugin.

I tried following this article: https://aws.amazon.com/blogs/opensource/setting-up-amazon-managed-grafana-cross-account-data-source-using-customer-managed-iam-roles/ where there needs to be created two roles created. One role in Account B providing access and permissions to Account A, such as:

Account B Trust Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${ACCOUNT_A_ID}:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Account B permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AmazonTimestreamReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "timestream:CancelQuery",
                "timestream:DescribeDatabase",
                "timestream:DescribeEndpoints",
                "timestream:DescribeTable",
                "timestream:ListDatabases",
                "timestream:ListMeasures",
                "timestream:ListTables",
                "timestream:ListTagsForResource",
                "timestream:Select",
                "timestream:SelectValues",
                "timestream:DescribeScheduledQuery",
                "timestream:ListScheduledQueries",
                "timestream:DescribeBatchLoadTask",
                "timestream:ListBatchLoadTasks",
                "timestream:DescribeAccountSettings"
            ],
            "Resource": "*"
        }
    ]
}

Account A trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "grafana.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Account A permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::${ACCOUNT_B}:role/${ROLE_NAME_GIVEN_IN_ACCOUNT_B}"
        }
    ]
}

However, this still gives me some issues in connecting to the resources in Account B.

I have been working on this for sometime, and I would like to get any assistance possible.

Best, Ed

profile picture
asked 2 months ago115 views
1 Answer
1
Accepted Answer

It is overall correct but I would check on the following items.

  • IAM Role Trust Relationships: Please ensure that the trust relationships for the IAM roles in both accounts are correctly configured. The role in Account B should trust Account A, and the role in Account A should trust the grafana.amazonaws.com service.
  • IAM Role Permissions: The permissions attached to the roles in both accounts should be correctly configured. The role in Account B should have the necessary permissions to access the Timestream database, and the role in Account A should have the sts:AssumeRole permission for the role in Account B.
  • Role Assumption: Ensure that the Grafana workspace in Account A is correctly assuming the role in Account B. This is typically done through the Grafana AWS CloudWatch data source configuration.
  • Network Connectivity: Ensure that there are no network connectivity issues or restrictions that might be preventing the Grafana workspace in Account A from connecting to the Timestream database in Account B.
profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Hi Giovanni, thank you very much for your prompted response. I was able to fix this by removing the Managed Grafana workspace from the VPC. Thank you for the response

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions