Menu
Documentationbreadcrumb arrow Pluginsbreadcrumb arrow Amazon CloudWatchbreadcrumb arrow Configure
Grafana Cloud Enterprise Open source

Configure the Amazon CloudWatch data source

This document provides instructions for configuring the Amazon CloudWatch data source and explains available configuration options. For general information on adding and managing data sources, refer to Data source management.

Before you begin

  • You must have the Organization administrator role to configure the CloudWatch data source. Organization administrators can also configure the data source via YAML with the Grafana provisioning system.

  • Grafana comes with a built-in CloudWatch data source plugin, so you do not need to install a plugin.

  • Familiarize yourself with your CloudWatch security configuration and gather any necessary security certificates, client certificates, and client keys.

Add the CloudWatch data source

Complete the following steps to set up a new CloudWatch data source:

  1. Click Connections in the left-side menu.
  2. Click Add new connection
  3. Type CloudWatch in the search bar.
  4. Select the CloudWatch data source.
  5. Click Add new data source in the upper right.

Grafana takes you to the Settings tab, where you will set up your CloudWatch configuration.

Configure the data source in the UI

The following are configuration options for the CloudWatch data source.

SettingDescription
NameThe data source name. Sets the name you use to refer to the data source in panels and queries.
DefaultToggle to select as the default name in dashboard panels. When you go to a dashboard panel, this will be the default selected data source.

Grafana plugin requests to AWS are made on behalf of an AWS Identity and Access Management (IAM) role or IAM user. The IAM user or IAM role must have the associated policies to perform certain API actions.

For authentication options and configuration details, refer to AWS authentication.

SettingDescription
AuthenticationSpecify which AWS credentials chain to use. A Grafana plugin’s requests to AWS are made on behalf of an IAM role or IAM user. The IAM user or IAM role must have the necessary policies to perform the required API actions.

Access & secret key:

You must use both an access key ID and a secret access key to authenticate.

SettingDescription
Access Key IDEnter your key ID.
Secret Access KeyEnter the secret access key.

Assume Role:

SettingDescription
Assume Role ARNOptional. Specify the ARN of an IAM role to assume. This ensures the selected authentication method is used to assume the role, not used directly.
External IDIf you’re assuming a role in another AWS account that requires an external ID, specify it here.

Additional Settings:

SettingDescription
EndpointOptional. Specify a custom endpoint for the AWS service.
Default RegionSpecify the AWS region. Example: If the region is US West (Oregon), use us-west-2.
Namespaces of Custom MetricsAdd one or more custom metric namespaces, separated by commas (for example,Namespace1,Namespace2). Grafana can’t automatically load custom namespaces using the CloudWatch GetMetricData API. To make custom metrics available in the query editor, manually specify the namespaces in the Namespaces of Custom Metrics field in the data source configuration.

CloudWatch Logs:

SettingDescription
Query timeout resultGrafana polls Cloudwatch Logs every second until AWS returns a Done status or the timeout is reached. An error is returned if the timeout is exceeded. For alerting, the timeout defined in the Grafana config file takes precedence. Enter a valid duration string, such as 30m, 30s or 200ms. The default is 30m.
Default Log GroupsOptional. Specify the default log groups for CloudWatch Logs queries.

X-Ray trace link:

SettingDescription
Data sourceSelect the X-ray data source from the drop-down menu.

Grafana automatically creates a link to a trace in X-ray data source if logs contain the @xrayTraceId field. To use this feature, you must already have an X-Ray data source configured. For details, see the X-Ray data source docs. To view the X-Ray link, select the log row in either the Explore view or dashboard Logs panel to view the log details section.

To log the @xrayTraceId, refer to the AWS X-Ray documentation. To provide the field to Grafana, your log queries must also contain the @xrayTraceId field, for example by using the query fields @message, @xrayTraceId.

Private data source connect - Only for Grafana Cloud users.

SettingDescription
Private data source connectEstablishes a private, secured connection between a Grafana Cloud stack and data sources within a private network. Use the drop-down to locate the PDC URL. For setup instructions, refer to Private data source connect (PDC) and Configure PDC. Click Manage private data source connect to open your PDC connection page and view your configuration details.

After configuring your Amazon CloudWatch data source options, click Save & test at the bottom to test the connection. You should see a confirmation dialog box that says:

Note

To troubleshoot issues while setting up the CloudWatch data source, check the /var/log/grafana/grafana.log file.

IAM policy examples

To read CloudWatch metrics and EC2 tags, instances, regions, and alarms, you must grant Grafana permissions via IAM. You can attach these permissions to the IAM role or IAM user you configured in AWS authentication.

Metrics-only permissions:

JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadingMetricsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetInsightRuleReport"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourceMetricsFromPerformanceInsights",
      "Effect": "Allow",
      "Action": "pi:GetResourceMetrics",
      "Resource": "*"
    }
  ]
}

Logs-only permissions:

JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadingLogsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:GetLogGroupFields",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:GetQueryResults",
        "logs:GetLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }
  ]
}

Metrics and logs permissions:

JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadingMetricsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarmHistory",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetInsightRuleReport"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourceMetricsFromPerformanceInsights",
      "Effect": "Allow",
      "Action": "pi:GetResourceMetrics",
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingLogsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:GetLogGroupFields",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:GetQueryResults",
        "logs:GetLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }
  ]
}

Cross-account observability permissions

JSON 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["oam:ListSinks", "oam:ListAttachedLinks"],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Note

Cross-account observability lets you retrieve metrics and logs across different accounts in a single region, but you can’t query EC2 Instance Attributes across accounts because those come from the EC2 API and not the CloudWatch API.

For more information on configuring authentication, refer to Configure AWS authentication.

Configure the data source with grafana.ini

The Grafana configuration file includes an AWS section where you can configure data source options:

Configuration optionDescription
allowed_auth_providersSpecifies which authentication providers are allowed for the CloudWatch data source. The following providers are enabled by default in open-source Grafana: default (AWS SDK default), keys (Access and secret key), credentials (Credentials file), ec2_IAM_role (EC2 IAM role).
assume_role_enabledAllows you to disable assume role (ARN) in the CloudWatch data source. The assume role (ARN) is enabled by default in open-source Grafana.
list_metrics_page_limitSets the limit of List Metrics API pages. When a custom namespace is specified in the query editor, the List Metrics API populates the Metrics field and Dimension fields. The API is paginated and returns up to 500 results per page, and the data source also limits the number of pages to 500 by default. This setting customizes that limit.

Provision the data source

You can define and configure the data source in YAML files as part of the Grafana provisioning system. For more information about provisioning and available configuration options, refer to Provision Grafana.

Using AWS SDK (default):

YAML 
apiVersion: 1
datasources:
  - name: CloudWatch
    type: cloudwatch
    jsonData:
      authType: default
      defaultRegion: eu-west-2

Using credentials’ profile name (non-default):

YAML 
apiVersion: 1

datasources:
  - name: CloudWatch
    type: cloudwatch
    jsonData:
      authType: credentials
      defaultRegion: eu-west-2
      customMetricsNamespaces: 'CWAgent,CustomNameSpace'
      profile: secondary

Using accessKey and secretKey:

YAML 
apiVersion: 1

datasources:
  - name: CloudWatch
    type: cloudwatch
    jsonData:
      authType: keys
      defaultRegion: eu-west-2
    secureJsonData:
      accessKey: '<your access key>'
      secretKey: '<your secret key>'

Using AWS SDK Default and ARN of IAM Role to Assume:

YAML 
apiVersion: 1
datasources:
  - name: CloudWatch
    type: cloudwatch
    jsonData:
      authType: default
      assumeRoleArn: arn:aws:iam::123456789012:root
      defaultRegion: eu-west-2