Can I get API Keys for a Service Role?

Question

I want to create a role with a series of CloudWatch Allow policies, and use that on Grafana Cloud so I can read data from an account.

I've found this one from [Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html) which suggests me that those are the policies I need to make sure the API Keys set on Grafana Cloud are privileged with.

In my case I should use Grafana Cloud and not an AWS Managed Grafana instance. So I should get valid and API Keys.

Usually what I'd do is to create a user that gets that role attached. However I've come across the existence of Service Roles. These sound like the ones I should use, however I can't figure out what other resources I'd need to create to generate API Keys for an identity or permission attachment for such role.

So my question is. If I need to generate long term valid API Keys, should I create a user?

Answer

You're right, you can create a role and attach it to the Managed Grafana workspace or use managed by AWS role as described in the [mentioned page](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html).

While creating the workspace you can choose between
* Service managed - We will automatically provision the permissions for you based on the AWS services you choose in the next step.
* Customer managed - Manually create your own IAM role based on the suggested policies.

I would say that you can easily go with Service managed permissions.

And to summarise, you don't need User for Managed Grafana at all :) The user will be needed for Grafana cloud for example.

Can I get API Keys for a Service Role?

Relevant content