I am using the X-RAY datasource and I’m running into a 403 error when I attempt to use the ServiceMap query type.
Here is my setup:
- I have an ECS/Fargate instance stood up that has deployed the v 8.5.3 of the Grafana Docker container.
- I have installed the v1.40 version of the X-RAY data source
- I have configured the data source to access X-Ray logs that are in another AWS account. I am doing this by assuming the role. This works fine EXCEPT for accessing the ServiceMap. The datasource is assuming a custom IAM role that is configured to allow the following actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"xray:BatchGetTraces",
"xray:GetTraceSummaries",
"xray:GetTraceGraph",
"xray:GetGroups",
"xray:GetTimeSeriesServiceStatistics",
"xray:GetInsightSummaries",
"xray:GetInsight",
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}
Issue:
This set up works fine for the majority of X-Ray events however, when I am in the data source and attempt to query the Service Map I am getting the following error:
“AccessDeniedException: status code: 403, request id:…”
Steps to resolve:
I have used log-levels “error”, “critical”, “debug” and “info” and I see no diagnostic info being logged. I would expect to see a complete error coming back from the AWS CLI instead of the one-line error message. I’m not sure what I’m missing. Perhaps it is an additional action that needs to be added to the IAM role that isn’t documented? Again, I am accessing x-ray logs that are in another AWS account (in the same region). All of our AWS accounts have cross-account access enabled. I am doing this with our CloudWatch data source and it works fine.
Thanks for your help!