Add minimal IAM policy example for CloudWatch data source

2025-02-25 18:55:37 -06:00 · 2018-04-11 21:29:11 -05:00 · 2018-04-11 21:29:11 -05:00 · ee7943b9b2
commit ee7943b9b2
parent 041067f5f0
1 changed files with 34 additions and 0 deletions
--- a/docs/sources/features/datasources/cloudwatch.md
+++ b/docs/sources/features/datasources/cloudwatch.md
@ -43,6 +43,40 @@ server is running on AWS you can use IAM Roles and authentication will be handle

 Checkout AWS docs on [IAM Roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)

+## IAM Policies
+
+Grafana needs permissions granted via IAM to be able to read from CloudWatch
+and EC2. Attach these permissions to IAM roles to utilized Grafana's build-in
+role support.
+
+Here is a minimal policy example:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowReadingMetricsFromCloudWatch",
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:ListMetrics",
+                "cloudwatch:GetMetricStatistics"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowReadingTagsFromEC2",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeTags",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
 ### AWS credentials file

 Create a file at `~/.aws/credentials`. That is the `HOME` path for user running grafana-server.