By using AWS re:Post, you agree to the Terms of Use

How to grant someone else CloudWatch dashboard view access?

0

Hi, I've granted someone access to my dashboard, they can open the link but cannot see the widgets. I'm not sure what the right permissions are. I granted: cloudwatch:GetDashboard for the specific dashboard, and also:

            "cloudwatch:GetMetricData",
            "cloudwatch:GetMetricStatistics",

and since the widget is showing AppELB requestCount, I also added elasticloadbalancing:DescribeTags for the specific resource arn:aws:elasticloadbalancing:*:xxxxxxxx:loadbalancer/app/*/*

But it seems it's not enough and the dashboard is empty for that user. What should I change?

asked 8 months ago412 views
3 Answers
1

Generally speaking, for metric widgets, you need only:

"cloudwatch:GetDashboard",
"cloudwatch:GetMetricData"

If plotting EC2 instance metrics then better to also have:

"ec2:DescribeTags"

No need for any extra ELB permissions.

It's not clear what the issue might be without more info, such as what user is actually seeing and what errors might be logged in requests in browser Network tab.

answered 8 months ago
  • The user sees the dashboard page like I see it, only without the widget I put there, i.e. the dashboard looks like a new dashboard without any widgets.

1

I experimented with some permissions, it looks like describeAlarms solved it + a full browser refresh (cmd+shift+R)

answered 8 months ago
0

Hi Sagimannyok,

Seems like there was a caching issue on the other user side. First of all when you mentioned the user was only seeing blank dashboard(like a new one) it gave me an idea that the Dashboard might not have been saved yet, but looks like it was not.

So when you provide access to a Dashboard to someone(IAM user) the most important permissions are as below:

  • cloudwatch:GetDashboard -> With the specific link user can access the dashboard, but cannot list from the Dashboards if ListDashboard is not provided
  • cloudwatch:ListDashboard -> allows the user to list the Dashboards from the console

After you have provided access to the Dashboard, if user lacks permission for specific type of Widgets then it should pop on the widgets with the related error message. For example for Alarm widgets, the error should state something similar to Could not load data. The current role cannot perform cloudwatch:DescribeAlarms. which is quite straightforward.

So for MetricWidget cloudwatch:GetMetricData should work in most cases, and if you have MetricExplorer widgets then xxx:DescribeTags should be allowed. Same goes to Logs table widget if lacking permission it should state something similar to Could not load data. The current role cannot perform logs:FilterLogEvents.

Hope this helps for further tasks.

Thanks

SUPPORT ENGINEER
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions