Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Monitor infrastructurebreadcrumb arrow Cloud Provider Observabilitybreadcrumb arrow AWS Observabilitybreadcrumb arrow CloudWatch metricsbreadcrumb arrow Accounts
Grafana Cloud

Accounts

When you configure AWS, you need to connect to an AWS account, which you can use across multiple scrape jobs. An account includes an Amazon Resource Name (ARN), a list of AWS regions, and, optionally, a name to easily recognize it.

Create an account

You can create an account:

  • Automatically with Cloud Formation
  • Automatically with Terraform
  • Manually starting at the AWS Management Console

Configure automatically with Cloud Formation

Complete the following process to configure with Cloud Formation.

Create a new IAM role

Create an IAM role so that Grafana Cloud can then assume a role that has access only to your CloudWatch data. In this way, there is no need to share access and secret keys.

  1. At the Create new account configuration page, select Automatically to create a new role in the AWS IAM console.
  2. Click Use CloudFormation.
  3. Click Launch stack.
  4. Follow the steps to create the IAM role in AWS CloudFormation.
  5. Return to the Create new account page.

Connect to AWS account

  1. At the AWS Accounts Create new account page in the Account name box, optionally enter the name of your account. Give your account a unique name that contains only alphanumeric characters, dashes, and underscores.
  2. In the ARN box, paste the ARN you copied from the AWS IAM role you created.
  3. From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
  4. Click Add account to ensure the connection is working, and to save your new account.

Configure automatically with Terraform

Refer to Terraform configuration for instructions on using Terraform to scrape your Amazon CloudWatch metrics data.

Configure manually in the AWS Management Console

When you create the role in the AWS IAM console, there are many more steps required. It is recommended that you use the automatic method for CloudFormation or Terraform to configure.

Before you begin

Make sure you have:

  • Username / Instance ID for your Grafana Cloud Prometheus. You can find this by clicking on Details in the Prometheus card of the Grafana Cloud Portal.
  • External ID: AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.

Create a new IAM role

Create an IAM role so that Grafana Cloud can then assume a role that has access only to your CloudWatch data. In this way, there is no need to share access and secret keys.

  1. At the Create account page, select Manually to create a new role in the AWS IAM console.
  2. Click Open AWS IAM Console to open the IAM console.
  3. In Roles, click Create role.
  4. Select AWS Account for Trusted entity type.
  5. Select Another AWS account.
  6. In Account ID, enter the Grafana AWS account ID shown on the Create new account configuration page.
  7. Select Require external ID, and enter the Username / Instance ID for your Grafana Cloud Prometheus as shown on the Create new scrape job page.
  8. Click Next: Permissions, then Create policy.
  9. At the Grafana Cloud Create account page under the Grant permissions to Grafana Cloud section, copy and paste the JSON into the policy text box in the AWS IAM console. This replaces the existing code.

Connect to AWS account

  1. At the AWS Accounts Create new account page in the Account name box, optionally enter the name of your account. Give your account a unique name that contains only alphanumeric characters, dashes, and underscores.
  2. In the ARN box, paste the ARN you copied from the AWS IAM role you created.
  3. From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
  4. Click Add account to ensure the connection is working, and to save your new account.

Edit an account

  1. To edit an account, go to the AWS accounts page.
  2. At the row of the account, click on the menu icon in the last column of the table.
  3. Click Edit.
  4. In the Edit account view, make your changes.
  5. Click Save.

Delete an account

You can only delete an account if the account has no scrape jobs associated with it. Otherwise, you must first delete its scrape jobs.

Delete an account with no scrape jobs

Use either of these two methods to delete an account with no scrape jobs associated with it from the AWS Accounts page:

  • Click the menu icon next to the account, select Delete, then click Delete to confirm.
  • Click the name of the account to view the account Details page. Then click on Actions and Delete.

Delete an account with scrape jobs

To delete an account with associated scrape jobs:

  1. Go to the Your account page.
  2. Click the menu icon next to the account, select Delete, then click Go to scrape jobs list.
  3. On the account Details page, select all scrape jobs, and click Delete.
  4. On the window, click Delete.
  5. After the window is closed, click Actions, then click Delete.