Add minimal IAM policy example for CloudWatch data source

ee7943b9 · Tim O'Guin · 041067f5 · ee7943b9
Commit ee7943b9 authored Apr 11, 2018 by Tim O'Guin
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 0 deletions

docs/sources/features/datasources/cloudwatch.md
+34 -0

No files found.
--- a/docs/sources/features/datasources/cloudwatch.md
+++ b/docs/sources/features/datasources/cloudwatch.md
@@ -43,6 +43,40 @@ server is running on AWS you can use IAM Roles and authentication will be handle
 Checkout AWS docs on [IAM Roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
+## IAM Policies
+Grafana needs permissions granted via IAM to be able to read from CloudWatch
+and EC2. Attach these permissions to IAM roles to utilized Grafana's build-in
+role support.
+Here is a minimal policy example:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowReadingMetricsFromCloudWatch",
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:ListMetrics",
+                "cloudwatch:GetMetricStatistics"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowReadingTagsFromEC2",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeTags",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
 ### AWS credentials file
 Create a file at `~/.aws/credentials`. That is the `HOME` path for user running grafana-server.