Better security with Grafana Assume Role for AWS data sources
Better security with Grafana Assume Role for AWS data sources
We’re excited to announce AWS Grafana Assume Role support across Grafana’s AWS data sources, now generally available in Grafana Cloud.
Instead of configuring long-lived AWS access keys and secrets in each data source, you can now authenticate using IAM role assumption. Grafana uses the AWS Security Token Service (STS) to generate short-lived, scoped credentials at query time, following AWS security best practices for least-privilege access.
How it works
In your data source configuration, select AWS Grafana Assume Role as the authentication provider and specify the IAM role ARN you want Grafana to assume. Grafana handles credential rotation automatically — no manual key rotation, no expiry management. This makes it simpler to manage access across multiple AWS accounts. You can grant a single Grafana role permission to assume different account-scoped roles instead of maintaining separate credentials per account.
Supported data sources
AWS Grafana Assume Role is available for the following Grafana-managed AWS data sources:
- Amazon CloudWatch
- Amazon DynamoDB
- Amazon Athena
- Amazon Redshift
- Amazon Timestream
- Amazon X-Ray
- Amazon OpenSearch
- Amazon SiteWise
- Amazon Managed Prometheus (AMP)
▎ Note: AWS Grafana Assume Role is not supported in the IoT TwinMaker app (grafana-iot-twinmaker-app).
To learn more about Grafana Assume Role, refer to the documentation.
