How do I troubleshoot errors with cross-account dashboard sharing in CloudWatch?

4 minute read
0

I want to use cross-account dashboard sharing to share my Amazon CloudWatch dashboard with another AWS account.

Short description

You can create cross-account or cross-Region dashboards to share your CloudWatch data with multiple AWS accounts and across multiple AWS Regions. When you use account or organization IDs to share a dashboard from one AWS account with another account, you might encounter a number of issues:

  • The monitoring account user can't view or select the Account ID in the sharing account to view the dashboard.
  • When accessing the dashboard, the monitoring user receives an error due to permissions issues in the sharing account. These errors include the following examples:
    Failed to retrieve alarms errors
    Resource groups could not be retrieved errors
    Unauthorized user errors

Resolution

In these examples, one account is sharing a dashboard with another account using Account IDs or Organization IDs. The sharing account has the ID 111111111111. The monitoring account has the account ID 999999999999.

Issues viewing the Account ID to view a dashboard from a monitoring

To view and select the shared dashboard, turn on an account selector for every AWS Identity and Access Management (IAM) user in the monitoring account. Account ID selectors are visible only for IAM users who turned on an account selector in their CloudWatch settings. For more information, see Activating cross-account functionality in CloudWatch.

Errors received when accessing custom dashboards from a monitoring account

When you attempt to access a custom dashboard from a monitoring account, you might encounter the following errors:

  • When accessing the Overview page in the CloudWatch console:

    "Failed to retrieve alarms ; You don't have permissions to perform the following operations: CloudWatch:DescribeAlarms. Contact your administrator if you need help. If you are an administrator, you can provide permissions for your users or groups by creating IAM policies."

  • When accessing the cross service dashboard from shared accounts:

    "Unable to select any Resource Group in the "Filter by resource group" dropdown. It errs out with : "Resource groups could not be retrieved"

  • When opening a custom dashboard from a shared account:

    "User: "arn:aws:sts::999999999999:assumed-role/AWSServiceRoleForCloudWatchCrossAccount/CloudWatchConsole is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/CloudWatch-CrossAccountSharingRole"

    -or-

    "User: arn:aws:sts::999999999999:assumed-role/CloudWatch-CrossAccountSharingRole/CloudWatchConsole is not authorized to perform: cloudwatch:ListDashboards on resource: arn:aws:cloudwatch::111111111111:dashboard/* because no identity-based policy allows the cloudwatch:ListDashboards action"

These errors occur because there are permissions issues in the sharing account's role. Be sure that the sharing account meets the following conditions:

  • The CloudWatch-CrossAccountSharingRole is present.
  • The sharing account has the correct trust policies.
  • The CloudWatch-CrossAccountSharing role has these policies attached: CloudWatchReadOnlyAccess CloudWatchAutomaticDashboardsAccess: This policy is missing if you cleared the Include CloudWatch automatic dashboards option during dashboard sharing. AWSXrayReadOnlyAccess: This policy is missing if you cleared the Include X-Ray read-only access for ServiceLens option during dashboard sharing.

Limit CloudWatch-CrossAccountSharingRole to share only specific dashboards with all monitoring accounts

To list all dashboards from cross-account dashboards, use the ListDashboards API call. ListDashboards doesn't support resource-specific permissions, but the GetDashboard API call does. Therefore, to limit the dashboards that can be described or opened across accounts, edit the IAM role CloudWatch-CrossAccountSharingRole in the source sharing account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "cloudwatch:GetDashboard",
      "Resource": "arn:aws:cloudwatch::111111111111:dashboard/dashboard-name"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetInsightRuleReport",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "cloudwatch:ListTagsForResource",
        "cloudwatch:ListDashboards",
        "logs:Get*",
        "logs:List*",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:Describe*",
        "logs:TestMetricFilter",
        "logs:FilterLogEvents",
        "sns:Get*",
        "sns:List*"
      ],
      "Resource": "*"
    }
  ]
}

After you run this command, you can list all dashboards. However, if you try to open a dashboard that isn't mentioned in this policy, you see an error:

User: arn:aws:sts::111111111111:assumed-role/CloudWatch-CrossAccountSharingRole/CloudWatchConsole is not authorized to perform: cloudwatch:GetDashboard on resource: arn:aws:cloudwatch::111111111111:dashboard/test

Issues launching CloudFormationStack to create the required CloudWatch-CrossAccountSharingRole in the sharing account

Be sure that you have these policies associated with the IAM role in the sharing account when you use cross-account dashboard sharing:

  • AWSCloudFormationFullAccess
  • IAMFullAccess

These permissions allow you to launch the required CloudFormationStack API to create the IAM roles you need for cross-account dashboard sharing.

Use Terraform/CloudFormation/AWS CLI to create cross-account dashboard sharing setup

When you set up a sharing account to use cross-account functions, CloudWatch deploys an AWS CloudFormation template. Convert this CloudFormation template into a corresponding Terraform template. This allows you to activate cross-account data sharing.

To allow your monitoring account to view cross-account data in CloudWatch, activate an account selector using the console. This is a per-user setting and isn't managed at account level. For more information on configuring this setting, see Activating cross-account functionality in CloudWatch.

Related information

Cross-account cross-Region CloudWatch console

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago