From 5130b3c704057d4aa4d2aba7692904ce4c6f337c Mon Sep 17 00:00:00 2001 From: "grafana-delivery-bot[bot]" <132647405+grafana-delivery-bot[bot]@users.noreply.github.com> Date: Fri, 8 Aug 2025 15:14:27 +0100 Subject: [PATCH] [release-12.1.1] AWS Datasources: Update grafana assume role docs for GA (#109403) AWS Datasources: Update grafana assume role docs for GA (#107220) (cherry picked from commit da0f1d7b189ad7a454136ab4d4d30c93f5f44d21) Co-authored-by: Isabella Siu Co-authored-by: Larissa Wandzura <126723338+lwandz13@users.noreply.github.com> Co-authored-by: Kevin Yu --- .../aws-authentication/index.md | 22 ++++++++----------- .../feature-toggles/index.md | 1 + .../src/types/featureToggles.gen.ts | 1 + pkg/services/featuremgmt/registry.go | 3 ++- pkg/services/featuremgmt/toggles_gen.csv | 2 +- pkg/services/featuremgmt/toggles_gen.json | 19 +++++++++++----- 6 files changed, 27 insertions(+), 21 deletions(-) diff --git a/docs/sources/datasources/aws-cloudwatch/aws-authentication/index.md b/docs/sources/datasources/aws-cloudwatch/aws-authentication/index.md index 5df10ff1eae..0d289af1380 100644 --- a/docs/sources/datasources/aws-cloudwatch/aws-authentication/index.md +++ b/docs/sources/datasources/aws-cloudwatch/aws-authentication/index.md @@ -160,26 +160,22 @@ securityContext: ## Use Grafana Assume Role {{< admonition type="note" >}} -Grafana Assume Role is currently in [private preview](https://grafana.com/docs/release-life-cycle/) for Grafana Cloud. +Grafana Assume Role is only available in Grafana Cloud. -It's currently only available for Amazon CloudWatch. - -To gain early access to this feature, contact Customer Support and ask for the `awsDatasourcesTempCredentials` feature toggle to be enabled on your account. +It's currently only available for Amazon CloudWatch and Athena. {{< /admonition >}} The Grafana Assume Role authentication provider lets you authenticate with AWS without having to create and maintain long term AWS users or rotate their access and secret keys. Instead, you can create an IAM role that has permissions to access CloudWatch and a trust relationship with Grafana's AWS account. Grafana's AWS account then makes an STS request to AWS to create temporary credentials to access your AWS data. It makes this STS request by passing along an `externalID` that's unique per Cloud account, to ensure that Grafana Cloud users can only access their own AWS data. For more information, refer to the [AWS documentation on external ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html). To use the Grafana Assume Role: -1. Grafana Cloud customers need to open a support ticket to enable the feature `awsDatasourcesTempCredentials`. - This feature is enabled by default in open source Grafana and Grafana Enterprise. -2. Once the feature is enabled, create a new CloudWatch data source (or update an existing one) and select **Grafana Assume Role** as an authentication provider. -3. In the AWS Console, create a new IAM role, and under **Trusted entity type**, select **Another AWS account** as the trusted Entity. -4. Enter Grafana's account id (displayed in the instructions box on the **Settings** tab of the CloudWatch data source configuration) and check the **Require external ID** box. -5. Enter the external ID specified in the instructions box on the **Settings** tab of the CloudWatch data source configuration in Grafana. This external ID will be unique to your Grafana instance. -6. Attach any required permissions you would like Grafana to be able to access on your behalf (for example, CloudWatch Logs and CloudWatch Metrics policies). -7. Give the role a name and description, and click **Create role**. -8. Copy the ARN of the role you just created and paste it into the **Assume Role ARN** field on the **Settings** tab of CloudWatch data source configuration in Grafana. +1. Create a new CloudWatch data source (or update an existing one) and select **Grafana Assume Role** as an authentication provider. +2. In the AWS Console, create a new IAM role, and under **Trusted entity type**, select **Another AWS account** as the trusted Entity. +3. Enter the Grafana account id (displayed in the instructions box on the **Settings** tab of the CloudWatch data source configuration) and check the **Require external ID** box. +4. Enter the external ID specified in the instructions box on the **Settings** tab of the CloudWatch data source configuration in Grafana. This external ID will be unique to your Grafana instance. +5. Attach any required permissions you would like Grafana to be able to access on your behalf (for example, CloudWatch Logs and CloudWatch Metrics policies). +6. Give the role a name and description, and click **Create role**. +7. Copy the ARN of the role you just created and paste it into the **Assume Role ARN** field on the **Settings** tab of CloudWatch data source configuration in Grafana. Sample Trust Relationship for an IAM role: diff --git a/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md b/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md index c20e71dab3d..29ac8f0ecef 100644 --- a/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md +++ b/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md @@ -38,6 +38,7 @@ Most [generally available](https://grafana.com/docs/release-life-cycle/#general- | `pluginsDetailsRightPanel` | Enables right panel for the plugins details page | Yes | | `recordedQueriesMulti` | Enables writing multiple items from a single query within Recorded Queries | Yes | | `logsExploreTableVisualisation` | A table visualisation for logs in Explore | Yes | +| `awsDatasourcesTempCredentials` | Support temporary security credentials in AWS plugins for Grafana Cloud customers | Yes | | `transformationsRedesign` | Enables the transformations redesign | Yes | | `awsAsyncQueryCaching` | Enable caching for async queries for Redshift and Athena. Requires that the datasource has caching and async query support enabled | Yes | | `dashgpt` | Enable AI powered features in dashboards | Yes | diff --git a/packages/grafana-data/src/types/featureToggles.gen.ts b/packages/grafana-data/src/types/featureToggles.gen.ts index 4a5de4fd928..5a3a6901178 100644 --- a/packages/grafana-data/src/types/featureToggles.gen.ts +++ b/packages/grafana-data/src/types/featureToggles.gen.ts @@ -186,6 +186,7 @@ export interface FeatureToggles { logsExploreTableVisualisation?: boolean; /** * Support temporary security credentials in AWS plugins for Grafana Cloud customers + * @default true */ awsDatasourcesTempCredentials?: boolean; /** diff --git a/pkg/services/featuremgmt/registry.go b/pkg/services/featuremgmt/registry.go index cb275abd33a..49d3d1f638d 100644 --- a/pkg/services/featuremgmt/registry.go +++ b/pkg/services/featuremgmt/registry.go @@ -296,7 +296,8 @@ var ( { Name: "awsDatasourcesTempCredentials", Description: "Support temporary security credentials in AWS plugins for Grafana Cloud customers", - Stage: FeatureStageExperimental, + Stage: FeatureStageGeneralAvailability, + Expression: "true", // enabled by default Owner: awsDatasourcesSquad, }, { diff --git a/pkg/services/featuremgmt/toggles_gen.csv b/pkg/services/featuremgmt/toggles_gen.csv index dffcd8bcad4..c059d62fb8a 100644 --- a/pkg/services/featuremgmt/toggles_gen.csv +++ b/pkg/services/featuremgmt/toggles_gen.csv @@ -37,7 +37,7 @@ pluginsDetailsRightPanel,GA,@grafana/plugins-platform-backend,false,false,true sqlDatasourceDatabaseSelection,preview,@grafana/oss-big-tent,false,false,true recordedQueriesMulti,GA,@grafana/observability-metrics,false,false,false logsExploreTableVisualisation,GA,@grafana/observability-logs,false,false,true -awsDatasourcesTempCredentials,experimental,@grafana/aws-datasources,false,false,false +awsDatasourcesTempCredentials,GA,@grafana/aws-datasources,false,false,false transformationsRedesign,GA,@grafana/observability-metrics,false,false,true mlExpressions,experimental,@grafana/alerting-squad,false,false,false datasourceAPIServers,experimental,@grafana/grafana-app-platform-squad,false,true,false diff --git a/pkg/services/featuremgmt/toggles_gen.json b/pkg/services/featuremgmt/toggles_gen.json index 004b9c5e01b..a2a07e82c8a 100644 --- a/pkg/services/featuremgmt/toggles_gen.json +++ b/pkg/services/featuremgmt/toggles_gen.json @@ -472,13 +472,17 @@ { "metadata": { "name": "awsDatasourcesTempCredentials", - "resourceVersion": "1750434297879", - "creationTimestamp": "2023-07-06T15:06:11Z" + "resourceVersion": "1752523189825", + "creationTimestamp": "2023-07-06T15:06:11Z", + "annotations": { + "grafana.app/updatedTimestamp": "2025-07-14 19:59:49.825959 +0000 UTC" + } }, "spec": { "description": "Support temporary security credentials in AWS plugins for Grafana Cloud customers", - "stage": "experimental", - "codeowner": "@grafana/aws-datasources" + "stage": "GA", + "codeowner": "@grafana/aws-datasources", + "expression": "true" } }, { @@ -2022,8 +2026,11 @@ { "metadata": { "name": "multiTenantTempCredentials", - "resourceVersion": "1750434297879", - "creationTimestamp": "2025-04-02T20:25:50Z" + "resourceVersion": "1752523189825", + "creationTimestamp": "2025-04-02T20:25:50Z", + "annotations": { + "grafana.app/updatedTimestamp": "2025-07-14 19:59:49.825959 +0000 UTC" + } }, "spec": { "description": "use multi-tenant path for awsTempCredentials",