Menu
Grafana Cloud
Configure CloudWatch metrics
To set up the account delegation, you can use either CloudFormation or Terraform. We recommend you choose the one that fits with your existing setup. Either of these not only automate the process, but allows you to keep track of the resources created. You can also configure the account delegation manually in AWS Console.
The connection and configuration process for CloudFormation and Terraform includes two major processes:
- Connecting to your AWS account
- Configuring the connection between Grafana Cloud and your AWS account
Navigate to the integration
- Navigate to your Grafana Cloud portal.
- In your Grafana Cloud stack, click Connections in the left-hand menu.
- Find the AWS tile, and click it to open the AWS solution.
- Find the CloudWatch metrics tile, and click it. The Configuration page opens.
Configure with Cloud Formation
Complete the following process to configure with Cloud Formation.
1. Create a new AWS role
- Click Automatically to create a new role in the AWS IAM console.
- Click Use CloudFormation.
- Click Launch stack.
- Follow the steps to create the IAM role in AWS CloudFormation.
- Return to the CloudWatch metrics Add new connection page.
2. Connect to AWS account
- At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
Give your scrape job a unique name that contains only alphanumeric characters, dashes, and underscores. - In the ARN box, paste the ARN you copied from your AWS IAM role.
- From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
- Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
- Click Test Connection to ensure the connection is working.
Note: When you include tags, this will increase the total number of active series, which can impact your Grafana Cloud costs.
3. Create scrape job
After you have successfully tested the connection, create the scrape job.
Configure with Terraform
Complete the following process to configure with Terraform.
Before you begin
Click Details in the Prometheus card of the Grafana Cloud Portal to find:
- The username / instance ID for your Grafana Cloud Prometheus
- The Terraform snippet you need to provision the IAM role
Input variables
The input variables for the IAM role are:
external_id: The username / instance ID for your Grafana Cloud Prometheus. AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.iam_role_name: A customizable name of the IAM role used by Grafana for the CloudWatch integration. The default value isGrafanaCloudWatchIntegration.
Output variable
The output variable is role_arn, which is the IAM role ARN you need to use when you create the scrape job.
1. Create a new AWS role
Select Automatically to create a new role in the AWS IAM console.
Click Use Terraform.
Configure the AWS CLI.
Copy this snippet into your Terraform file.
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } locals { grafana_account_id = "008923505280" } variable "external_id" { type = string description = "This is your Grafana Cloud identifier and is used for security purposes." validation { condition = length(var.external_id) > 0 error_message = "ExternalID is required." } } variable "iam_role_name" { type = string default = "GrafanaLabsCloudWatchIntegration" description = "Customize the name of the IAM role used by Grafana for the CloudWatch integration." } data "aws_iam_policy_document" "trust_grafana" { statement { effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${local.grafana_account_id}:root"] } actions = ["sts:AssumeRole"] condition { test = "StringEquals" variable = "sts:ExternalId" values = [var.external_id] } } } resource "aws_iam_role" "grafana_labs_cloudwatch_integration" { name = var.iam_role_name description = "Role used by Grafana CloudWatch integration." # Allow Grafana Labs' AWS account to assume this role. assume_role_policy = data.aws_iam_policy_document.trust_grafana.json # This policy allows the role to discover metrics via tags and export them. inline_policy { name = var.iam_role_name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "tag:GetResources", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "apigateway:GET", "aps:ListWorkspaces", "autoscaling:DescribeAutoScalingGroups", "dms:DescribeReplicationInstances", "dms:DescribeReplicationTasks", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeSpotFleetRequests", "shield:ListProtections", "storagegateway:ListGateways", "storagegateway:ListTagsForResource" ] Resource = "*" } ] }) } } output "role_arn" { value = aws_iam_role.grafana_labs_cloudwatch_integration.arn description = "The ARN for the role created, copy this into Grafana Cloud installation." }Run the
terraform applycommand, and either set variables directly in the CLI or create atfvarsfile as the following shows:- To set the variables directly in the CLI, use the following example:
bash terraform apply \ -var="grafana_importer_external_id=<your external ID>" \ -var="iam_role_name=GrafanaCloudWatchIntegration" - To create a
tfvarsfile (.tfvars), add the following text: Run the following command:grafana_importer_external_id="<your external ID>" iam_role_name="GrafanaCloudWatchIntegration"terraform apply -var-file="<your-tfvars-file>.tfvars"
- To set the variables directly in the CLI, use the following example:
After the Terraform apply command has finished creating the IAM Role, it will output your role_arn. For example:
role_arn = "arn:aws:iam::<yourAWSAccountID>:role/<iam_role_name>"
2. Connect to AWS account
- At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
Give your scrape job a unique name, containing only alphanumeric characters, dashes, and underscores. - In the ARN box, paste the
role_arnTerraform output. - From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
- Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
- Click Test Connection to ensure the connection is working.
Note: When you include tags, this will increase the total number of active series, which can impact your Grafana Cloud costs.
3. Create scrape job
After you have successfully tested the connection, create the scrape job.
Configure manually in the AWS Console
When you create the role in the AWS IAM console, there are many more steps required. It is recommended that you use CloudFormation or Terraform to configure.
Before you begin
Make sure you have:
- Username / Instance ID for your Grafana Cloud Prometheus. You can find this by clicking on Details in the Prometheus card of the Grafana Cloud Portal.
- External ID: AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.
1. Create a new AWS role
- Select Manually to create a new role in the AWS IAM console.
- Click Open AWS IAM Console to open the console.
Configure in AWS IAM Console
- In Roles, click Create role.
- Select AWS Account for Trusted entity type.
- Select Another AWS account.
- In Account ID, enter the Grafana AWS account ID shown on the CloudWatch metrics configuration page.
- Select Require external ID, and enter the Username / Instance ID for your Grafana Cloud Prometheus as shown on the CloudWatch metrics page.
- Click Next: Permissions, then Create policy.
- At the CloudWatch metrics configuration page, copy the JSON in the Grant permissions to Grafana Cloud section and paste it in the policy textbox in the AWS IAM console. This replaces the existing code.
2. Connect to AWS account
- At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
Give your scrape job a unique name, containing only alphanumeric characters, dashes, and underscores. - At the CloudWatch metrics configuration page, paste the ARN from your AWS IAM role in the ARN box.
- From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
- Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
- Click Test Connection to ensure the connection is working.
Note: When you include tags, this will increase the total number of active series, which can impact your Grafana Cloud costs.
3. Create scrape job
After you have successfully tested the connection, create the scrape job.
Create a scrape job
The steps to create a scrape job are:
- Select a service and what you want to gather.
- Set the scrape interval.
- Include AWS resource tags.
- Create the job.
Select a service
- Select a service to monitor. The default metrics and statistics are shown for each service.
- Optionally, in the Statistics drop-down menu, select what you want to gather from all metrics and click Apply to metrics selected. Alternatively, you can select the statistics for each metric. You can also deselect any metric you do not wish to include.
Set a scrape interval
- Currently, five minutes is the supported interval for scraping.
- Click Save service settings.
You can add another scrape job by clicking +Service.
Create the scrape job
- Click Create scrape job to begin metrics collection.
- If you receive an error message, refer to Work with job limits.
Next steps
Click Install to install prebuilt dashboards.
Was this page helpful?
Related resources from Grafana Labs
Getting started with your metrics, logs, and traces in Grafana Cloud
Learn to use the best open source observability software (Grafana, Prometheus, Loki, and Tempo) without the overhead of managing and scaling your own stack.
Kubernetes monitoring, out-of-the-box with Grafana Cloud
In this webinar you’ll learn how Grafana offers developers and SREs a simple and quick-to-value solution for monitoring their Kubernetes infrastructure.
Unify your data with Grafana plugins: Datadog, Splunk, MongoDB, and more
In this webinar, learn how to leverage Grafana's plugin ecosystem for access to 80+ data sources, including plugins for Datadog, Splunk, MongoDB, and more.