search

aws / amazon-managed-grafana-roadmap

Amazon Managed Grafana Roadmap
Other
60 stars 4 forks source link

Alerting to SNS located in a different AWS account #52

Open dnaprawa opened 1 year ago

dnaprawa commented 1 year ago

I have the requirement to configure Grafana alerting using SNS located in a different AWS account than Grafana's. Unfortunately, it doesn't work as it should.

NOTE: When SNS topic is created in the same AWS account as Managed Grafana – everything works good.

STEPS to reproduce

AWS_ACCOUNT_SNS – account where SNS topic is created AWS_ACCOUNT_GRAFANA – account where Managed Grafana is created

  1. In AWS_ACCOUNT_SNS created IAM Role sns-assume-role 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AWS_ACCOUNT_GRAFANA:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  1. In AWS_ACCOUNT_SNS created IAM policy as below and attached it to sns-assume-role role
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "arn:aws:sns:*:AWS_ACCOUNT_SNS:grafana*"
            ]
        }
    ]
}
  1. In AWS_ACCOUNT_SNS created SNS topic grafana-core-managed-grafana-sns with access policy "Allow everyone to publish"
  2. In AWS_ACCOUNT_GRAFANA created IAM Policy and attached the policy to Managed Grafana Workspace IAM role.
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_GRAFANA:role/sns-assume-role"
            ],
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}
  1. Configured the Contanct Point in Managed Grafana to use SNS. Select Workspace IAM Role as Auth Provider. In Topic field included: arn:aws:sns:us-east-1:AWS_ACCOUNT_GRAFANA:grafana-core-managed-grafana-sns

--

The similar IAM approach I have been using to allow Managed Grafana reading logs from CloudWatch located in different AWS account – and it works good. I would expect it will work in a similar manner for Grafana alerting OR documentation which explains how to achieve cross-account configuration for SNS and Managed Grafana.

reddy2018 commented 1 year ago

have you found the soluction for this?

raviagrawal86 commented 1 year ago

What I believe is you are missing cross account KMS key access. That did the trick for me.