Merge pull request #11567 from 247Sports/docs/cloudwatch-backend-iam-policy

Add minimal IAM policy example for CloudWatch data source
2024-11-29 04:04:00 -06:00 · 2018-04-12 10:23:56 +02:00 · 2018-04-12 10:23:56 +02:00 · dca73b9ab6
commit dca73b9ab6
parent 041067f5f0 1f0dfbbf86
1 changed files with 34 additions and 0 deletions
--- a/docs/sources/features/datasources/cloudwatch.md
+++ b/docs/sources/features/datasources/cloudwatch.md
@ -43,6 +43,40 @@ server is running on AWS you can use IAM Roles and authentication will be handle

 Checkout AWS docs on [IAM Roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)

+## IAM Policies
+
+Grafana needs permissions granted via IAM to be able to read CloudWatch metrics
+and EC2 tags/instances. You can attach these permissions to IAM roles and
+utilize Grafana's built-in support for assuming roles.
+
+Here is a minimal policy example:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowReadingMetricsFromCloudWatch",
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:ListMetrics",
+                "cloudwatch:GetMetricStatistics"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowReadingTagsFromEC2",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeTags",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
 ### AWS credentials file

 Create a file at `~/.aws/credentials`. That is the `HOME` path for user running grafana-server.