How to grant someone else CloudWatch dashboard view access?

Generally speaking, for metric widgets, you need only:

"cloudwatch:GetDashboard",
"cloudwatch:GetMetricData"

If plotting EC2 instance metrics then better to also have:

"ec2:DescribeTags"

No need for any extra ELB permissions.

It's not clear what the issue might be without more info, such as what user is actually seeing and what errors might be logged in requests in browser Network tab.

I experimented with some permissions, it looks like describeAlarms solved it + a full browser refresh (cmd+shift+R)

Hi Sagimannyok,

Seems like there was a caching issue on the other user side. First of all when you mentioned the user was only seeing blank dashboard(like a new one) it gave me an idea that the Dashboard might not have been saved yet, but looks like it was not.

So when you provide access to a Dashboard to someone(IAM user) the most important permissions are as below:

• cloudwatch:GetDashboard -> With the specific link user can access the dashboard, but cannot list from the Dashboards if ListDashboard is not provided
• cloudwatch:ListDashboard -> allows the user to list the Dashboards from the console

After you have provided access to the Dashboard, if user lacks permission for specific type of Widgets then it should pop on the widgets with the related error message. For example for Alarm widgets, the error should state something similar to Could not load data. The current role cannot perform cloudwatch:DescribeAlarms. which is quite straightforward.

So for MetricWidget cloudwatch:GetMetricData should work in most cases, and if you have MetricExplorer widgets then xxx:DescribeTags should be allowed. Same goes to Logs table widget if lacking permission it should state something similar to Could not load data. The current role cannot perform logs:FilterLogEvents.

Hope this helps for further tasks.

Thanks