aws
Alerting to SNS located in a different AWS account
I have the requirement to configure Grafana alerting using SNS located in a different AWS account than Grafana's. Unfortunately, it doesn't work as it should.
NOTE: When SNS topic is created in the same AWS account as Managed Grafana – everything works good.
STEPS to reproduce
AWS_ACCOUNT_SNS – account where SNS topic is created
AWS_ACCOUNT_GRAFANA – account where Managed Grafana is created
- In
AWS_ACCOUNT_SNScreated IAM Rolesns-assume-role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_GRAFANA:root"
},
"Action": "sts:AssumeRole"
}
]
}
- In
AWS_ACCOUNT_SNScreated IAM policy as below and attached it tosns-assume-rolerole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:AWS_ACCOUNT_SNS:grafana*"
]
}
]
}
- In
AWS_ACCOUNT_SNScreated SNS topicgrafana-core-managed-grafana-snswith access policy "Allow everyone to publish" - In
AWS_ACCOUNT_GRAFANAcreated IAM Policy and attached the policy to Managed Grafana Workspace IAM role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_GRAFANA:role/sns-assume-role"
],
"Sid": ""
}
],
"Version": "2012-10-17"
}
- Configured the Contanct Point in Managed Grafana to use SNS. Select Workspace IAM Role as
Auth Provider. InTopicfield included: arn:aws:sns:us-east-1:AWS_ACCOUNT_GRAFANA:grafana-core-managed-grafana-sns
--
The similar IAM approach I have been using to allow Managed Grafana reading logs from CloudWatch located in different AWS account – and it works good. I would expect it will work in a similar manner for Grafana alerting OR documentation which explains how to achieve cross-account configuration for SNS and Managed Grafana.
What I believe is you are missing cross account KMS key access. That did the trick for me.
