jvanderwel-ct
commented
2 days ago Oh, I have not seen that option before in the AWS CloudWatch console.
If I am reading the correct docs, It seems that AWS is using AssumeRole to access the alarms in the other accounts.
This plugin also supports assuming a role (although, I have not tested that feature much). You would have to grant access to the IAM user to assume roles. Then, create the proper roles within the other accounts. Then, setup a datasource for each account and region, filling in the "Assume Role ARN" setting.
It might be possible to update this plugin so that it automatically iterates over all accounts within your AWS organization. However, that is probably tricky to implement. I based this plugin off the official Grafana CloudWatch datasource, which also does not support such a thing (as far as I know).
In our own setup I automatically provision multiple data sources using our CI/CD software, for each of our AWS accounts. You would have to generate a small YAML file. For example:
/etc/grafana/provisioning/datasources/example.yml
- jsonData:
authType: keys
defaultRegion: eu-west-1
name: Production Alarms
orgId: 1
secureJsonData:
accessKey: AKIAIOSFODNN7EXAMPLE
secretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
type: computest-cloudwatchalarm-datasource
It would be very nice if the plugin has the ability to show shared alarms from another AWS accounts, not only from the account where the IAM credentials/role resides:
Thank you!