Configure CloudWatch metrics
When you configure CloudWatch metrics, you can choose to configure automatically or manually in the AWS Management Console. With automatic configuration, you can use either CloudFormation or Terraform. Choose the one that fits with your setup. Either of these options not only automate the process, but allows you to keep track of the resources created.
The connection and configuration process for CloudFormation and Terraform includes these major processes:
- Connecting to your AWS account
- Configuring the connection between Grafana Cloud and your AWS account
- Choosing the service to monitor and configuring its settings
Navigate to CloudWatch metrics
- Navigate to your Grafana Cloud portal.
- In your Grafana Cloud stack, expand Infrastructure in the main menu.
- Click AWS, then click Add your AWS services.
At the Configuration page, find and click the CloudWatch metrics tile.
At the CloudWatch metrics page, click Add new scrape job. The Create new scrape job configuration page appears.
Perform subsequent steps to configure:
- Automatically with Cloud Formation
- Automatically with Terraform
- Manually starting at the AWS Management Console
Configure automatically with Cloud Formation
Complete the following process to configure with Cloud Formation.
Create a new AWS role
Create an AWS role so that Grafana can then assume a role that has access only to your CloudWatch data, with no need to share access and secret keys.
- At the Create new scrape job configuration page, select Automatically to create a new role in the AWS IAM console.
- Click Use CloudFormation.
- Click Launch stack.
- Follow the steps to create the IAM role in AWS CloudFormation.
- Return to the CloudWatch metrics Create new scrape job page.
Connect to AWS account
- At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
Give your scrape job a unique name that contains only alphanumeric characters, dashes, and underscores. - In the ARN box, paste the ARN you copied from your AWS IAM role you created.
- From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
- Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
Note
Including tags increases the total number of active series, which can impact your Grafana Cloud costs. - Click Configure AWS Account to ensure the connection is working.
Choose services
- Choose the services you want to scrape. You can search in the search box or browse in the list of services.
- Optionally, enter a custom namespace in the Namespace name box and click Add.
Configure service settings
For each service and namespace you have chosen to scrape, select which metrics you want to collect. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics.
- Click Edit Metrics next to the service or namespace to open the edit view.
- Select or deselect metrics.
- For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric.
- Select the scrape interval.
- For a custom namespace, click Edit Metrics, and add metrics and statistics.
Optionally configure resource tag use
Optionally, you can narrow the metrics you pull by adding the tag you have placed on a metric in AWS, using the exact AWS tag format. To do so:
- In the Tags section, enter the name of the tag you have assigned in AWS. To add more than one tag, separate them with a comma.
- Select to add this tag to the metrics.
- To further filter, select to Filter by tag value and enter the value associated with the tag.
- Click Save service settings.
Save settings
- After editing the service or namespace, click Save service settings.
- Click Create scrape job to begin collecting metrics.
Explore your AWS service data
- Click Install dashboards and alerts to install prebuilt dashboards and alerts.
- Click View dashboards to explore out-of-the-box dashboards.
Configure automatically with Terraform
Complete the following process to configure with Terraform.
Before you begin
Click Details in the Prometheus card of the Grafana Cloud Portal to find:
- The username / instance ID for your Grafana Cloud Prometheus
- The Terraform snippet you need to provision the IAM role
Input variables
The input variables for the IAM role are:
external_id
: The username / instance ID for your Grafana Cloud Prometheus. AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.iam_role_name
: A customizable name of the IAM role used by Grafana for the CloudWatch integration. The default value isGrafanaCloudWatchIntegration
.
Output variable
The output variable is role_arn
, which is the IAM role ARN you need to use when you create the scrape job.
Create a new AWS role
Create an AWS role so that Grafana can then assume a role that has access only to your CloudWatch data, with no need to share access and secret keys.
At the Create new scrape job configuration page, select Automatically to create a new role in the AWS IAM console.
Click Use Terraform.
Configure the AWS CLI.
Copy this snippet into your Terraform file.
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } locals { grafana_account_id = "008923505280" } variable "external_id" { type = string description = "This is your Grafana Cloud identifier and is used for security purposes." validation { condition = length(var.external_id) > 0 error_message = "ExternalID is required." } } variable "iam_role_name" { type = string default = "GrafanaLabsCloudWatchIntegration" description = "Customize the name of the IAM role used by Grafana for the CloudWatch integration." } data "aws_iam_policy_document" "trust_grafana" { statement { effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${local.grafana_account_id}:root"] } actions = ["sts:AssumeRole"] condition { test = "StringEquals" variable = "sts:ExternalId" values = [var.external_id] } } } resource "aws_iam_role" "grafana_labs_cloudwatch_integration" { name = var.iam_role_name description = "Role used by Grafana CloudWatch integration." # Allow Grafana Labs' AWS account to assume this role. assume_role_policy = data.aws_iam_policy_document.trust_grafana.json # This policy allows the role to discover metrics via tags and export them. inline_policy { name = var.iam_role_name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "tag:GetResources", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "apigateway:GET", "aps:ListWorkspaces", "autoscaling:DescribeAutoScalingGroups", "dms:DescribeReplicationInstances", "dms:DescribeReplicationTasks", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeSpotFleetRequests", "shield:ListProtections", "storagegateway:ListGateways", "storagegateway:ListTagsForResource" ] Resource = "*" } ] }) } } output "role_arn" { value = aws_iam_role.grafana_labs_cloudwatch_integration.arn description = "The ARN for the role created, copy this into Grafana Cloud installation." }
Run the
terraform apply
command, and either set variables directly in the CLI or create atfvars
file as the following shows:- To set the variables directly in the CLI, use the following example:
bash terraform apply \ -var="grafana_importer_external_id=<your external ID>" \ -var="iam_role_name=GrafanaCloudWatchIntegration"
- To create a
tfvars
file (.tfvars), add the following text: Run the following command:grafana_importer_external_id="<your external ID>" iam_role_name="GrafanaCloudWatchIntegration"
terraform apply -var-file="<your-tfvars-file>.tfvars"
- To set the variables directly in the CLI, use the following example:
After the Terraform apply command has finished creating the IAM Role, it outputs your role_arn. For example:
role_arn = "arn:aws:iam::<yourAWSAccountID>:role/<iam_role_name>"
Connect to AWS account
- At the CloudWatch metrics page in the Scrape job name box, enter the name of your scrape job.
Give your scrape job a unique name, containing only alphanumeric characters, dashes, and underscores. - In the ARN box, paste the
role_arn
Terraform output. - From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
- Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
Note
Including tags increases the total number of active series, which can impact your Grafana Cloud costs. - Click Configure AWS Account to ensure the connection is working.
Choose services
- Select the services you want to scrape. You can search in the search box or browse in the list of services.
- Optionally, enter a custom namespace in the Namespace name box and click Add.
Configure service settings
For each service and namespace you have chosen to scrape, select which metrics you want to collect. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics.
- Click Edit Metrics next to the service or namespace to open the edit view.
- Select or deselect metrics.
- For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric.
- Select the scrape interval.
- For a custom namespace, click Edit Metrics, and add metrics and statistics.
Optionally configure resource tag use
Optionally, you can narrow the metrics you pull by adding the tag you have placed on a metric in AWS, using the exact AWS tag format. To do so:
- In the Tags section, enter the name of the tag you have assigned in AWS. To add more than one tag, separate them with a comma.
- Select to add this tag to the metrics.
- To further filter, select to Filter by tag value and enter the value associated with the tag.
- Click Save service settings.
Save settings
- After editing the service or namespace, click Save service settings.
- Click Create scrape job to begin collecting metrics.
Explore your AWS service data
- Click Install dashboards and alerts to install prebuilt dashboards and alerts.
- Click View dashboards to explore out-of-the-box dashboards.
Configure manually in the AWS Management Console
When you create the role in the AWS IAM console, there are many more steps required. It is recommended that you use CloudFormation or Terraform to configure.
Before you begin
Make sure you have:
- Username / Instance ID for your Grafana Cloud Prometheus. You can find this by clicking on Details in the Prometheus card of the Grafana Cloud Portal.
- External ID: AWS uses an external ID to provide an extra layer of security when giving Grafana access to pull your CloudWatch metrics into Grafana Cloud.
Create a new AWS role
Create an AWS role so that Grafana can then assume a role that has access only to your CloudWatch data, with no need to share access and secret keys.
- At the Create new scrape job configuration page, select Manually to create a new role in the AWS IAM console.
- Click Open AWS IAM Console to open the IAM console.
- In Roles, click Create role.
- Select AWS Account for Trusted entity type.
- Select Another AWS account.
- In Account ID, enter the Grafana AWS account ID shown on the Create new scrape job configuration page.
- Select Require external ID, and enter the Username / Instance ID for your Grafana Cloud Prometheus as shown on the Create new scrape job page.
- Click Next: Permissions, then Create policy.
- At the Grafana Cloud Create new scrape job page under the Grant permissions to Grafana Cloud section, copy and paste the JSON into the policy text box in the AWS IAM console. This replaces the existing code.
Connect to AWS account
- At the Create new scrape job page in the Scrape job name box, enter the name of your scrape job.
Give your scrape job a unique name, containing only alphanumeric characters, dashes, and underscores. - Paste the ARN from your AWS IAM role in the ARN box.
- From the AWS Regions drop-down menu, select the regions where you have services you want to monitor.
- Include your AWS resource tags is selected by default. For more information, refer to Query tag data. Ensure your tags adhere to AWS best practices, such as not containing personally identifiable information or other confidential or sensitive information.
- Click Configure AWS Account to ensure the connection is working.
Choose services
- Choose the services you want to scrape. You can search in the search box or browse in the list of services.
- Optionally, enter a custom namespace in the Namespace name box and click Add.
Configure service settings
For each service and namespace you have chosen to scrape, select which metrics you want to collect. A default set of metrics is included for each service. For custom namespaces, you must enter the metrics.
- Click Edit Metrics next to the service or namespace to open the edit view.
- Select or deselect metrics.
- For each metric selected, choose the statistics you want to include. You can also choose statistics to apply to all metrics you have selected. Refer to AWS documentation to determine which statistics are possible or best for each metric.
- Select the scrape interval.
- For a custom namespace, click Edit Metrics, and add metrics and statistics.
Optionally configure resource tag use
Optionally, you can narrow the metrics you pull by adding the tag you have placed on a metric in AWS, using the exact AWS tag format. To do so:
- In the Tags section, enter the name of the tag you have assigned in AWS. To add more than one tag, separate them with a comma.
- Select to add this tag to the metrics.
- To further filter, select to Filter by tag value and enter the value associated with the tag.
- Click Save service settings.
Save settings
- After editing the service or namespace, click Save service settings.
- Click Create scrape job to begin collecting metrics.
Explore your AWS service data
- Click Install dashboards and alerts to install prebuilt dashboards and alerts.
- Click View dashboards to explore out-of-the-box dashboards.
Add, edit or delete a scrape job
To add a scrape job, on the Your scrape jobs page, click Add new scrape job.
To edit a scrape job:
Click Configuration on the main menu, then click the CloudWatch metrics tile.
At the Your scrape jobs page, open the edit view by one of these methods:
- Click the name of the scrape job.
- Click the three-dot menu icon next to the scrape job, and select Edit.
In the Edit scrape job view, make your changes.
Click Save scrape job.
To delete a scrape job, at the Your scrape jobs page, you can either:
Click the name of the scrape job to open the Edit scrape job page, click Delete scrape job, then click Delete to confirm.
Click the three-dot menu icon next to the scrape job, select Delete, then click Delete to confirm.
Enable account_alias
label in collected metrics
Amazon CloudWatch Metrics supports pulling the AWS Account alias, as an additional label, account_alias
, into all collected metrics. If the configured IAM role doesn’t have enough permissions to fetch the account alias, it isn’t added.
To enable the collection and addition of the account_alias
label in all collected metrics, add the iam:ListAccountAliases
permission to the IAM Policy used by Grafana.
You can check if the account_alias
label is present by running the following query:
group({__name__=~"aws.+"}) by (account_alias)