Amazon Managed Grafana
User Guide
Amazon Managed Grafana: User Guide
Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.
Table of Contents
What is Amazon Managed Grafana? ... 1
Supported Regions ... 1
Setting up ... 2
Get an AWS account and your root user credentials ... 2
Creating an IAM user ... 2
Signing in as an IAM user ... 3
Creating IAM user access keys ... 3
User authentication ... 5
SAML ... 5
AWS SSO ... 6
Connecting to your identity provider ... 7
Azure Active Directory ... 7
CyberArk ... 8
Okta ... 10
OneLogin ... 11
Ping Identity ... 12
AWS SSO ... 14
Required permissions for scenarios using AWS SSO ... 14
Getting started ... 16
User authentication ... 16
Necessary permissions ... 16
Create your first workspace ... 17
Managing workspaces, users, and policies ... 20
Creating a workspace ... 20
User authentication in a workspace ... 20
Necessary permissions ... 16
Managing user and group access to Amazon Managed Grafana ... 24
Managing permissions for data sources and notification channels ... 25
Deleting a workspace ... 26
Working in your Grafana workspace ... 27
Users, teams, and permissions ... 27
Users ... 27
User roles ... 28
Managing teams ... 28
Using permissions ... 29
Getting started in your Grafana workspace console ... 33
What is Grafana? ... 33
Explore metrics and logs ... 33
Alerts ... 33
Annotations ... 33
Dashboard variables ... 33
Creating a dashboard ... 34
Data sources ... 39
How Amazon Managed Grafana works with AWS Organizations for AWS data source access ... 40
Built-in data sources ... 41
Data sources available in Grafana Enterprise ... 162
Panels ... 213
Adding or editing a panel ... 213
Deleting a panel ... 214
Queries ... 214
Transformations ... 217
Field options and overrides ... 224
Panel editor ... 230
Library panels ... 231
Visualizations ... 233
Dashboards ... 263
Manage dashboards ... 263
Rows ... 263
Annotations ... 264
Dashboard folders ... 265
Playlist ... 266
Dashboard search ... 269
Sharing a dashboard ... 270
Sharing a panel ... 270
Time range controls ... 270
Exporting and importing dashboards ... 273
Dashboard version history ... 273
Keyboard shortcuts ... 274
Dashboard JSON model ... 274
Scripted dashboards ... 279
Explore ... 280
Start exploring ... 280
Splitting and comparing ... 280
Sharing a shortened link ... 281
Query history ... 281
Prometheus-specific features ... 282
Logs integration ... 283
Tracing integration ... 285
Navigating between Explore and a dashboard ... 286
Query inspector ... 286
Linking ... 286
Which link should you use? ... 286
Controlling time range using the URL ... 287
Dashboard links ... 287
Panel links ... 288
Data links ... 289
Data link variables ... 290
Templates and variables ... 291
Templates ... 292
Variable best practices ... 292
Variable syntax ... 292
Variable types ... 292
Other variable options ... 302
Alerts ... 308
Alert configuration ... 308
Clustering ... 309
Notifications ... 309
Alert execution ... 309
Alert notifications ... 309
Creating alerts ... 312
Pausing an alert rule ... 315
Viewing existing alert rules ... 315
Notification templating ... 315
Troubleshooting alerts ... 316
Change your preferences ... 316
Edit your Amazon Managed Grafana profile ... 316
Edit your preferences ... 316
View your Amazon Managed Grafana sessions ... 317
Using Grafana HTTP APIs ... 318
Alerting API ... 319
Get alerts ... 319
Get alert by Id ... 320
Pause alert by Id ... 321
Alerting Notification Channels API ... 322
Get all notification channels ... 322
Get all notification channels (lookup) ... 323
Get all notification channels by UID ... 323
Get all notification channels by Id ... 324
Create notification channel ... 324
Update notification channel by UID ... 325
Update notification channel by Id ... 326
Delete notification channel by UID ... 327
Delete notification channel by Id ... 327
Test notification channel ... 327
Annotations API ... 328
Find annotations ... 328
Create annotation ... 329
Create annotation in graphite format ... 330
Update annotation ... 331
Patch annotation ... 331
Delete annotation by Id ... 332
Authentication API ... 332
Get API keys ... 332
Create API key ... 333
Delete API key ... 333
Dashboard API ... 334
Create/Update dashboard ... 334
Get dashboard by uid ... 338
Delete dashboard by uid ... 339
Gets the home dashboard ... 339
Get dashboard tags ... 340
Dashboard Permissions API ... 341
Get permissions for a dashboard ... 341
Update permissions for a dashboard ... 342
Dashboard Versions API ... 343
Get all dashboard versions ... 343
Get dashboard version ... 344
Restore dashboard ... 346
Compare dashboard versions ... 347
Data Source API ... 348
Get all data sources ... 349
Get a single data source by Id ... 349
Get a single data source by UID ... 350
Get a single data source by name ... 351
Get data source Id by name ... 351
Create a data source ... 352
Update an existing data source ... 354
Delete data source by Id ... 355
Delete data source by UID ... 355
Delete data source by name ... 356
Data source proxy calls ... 356
Query data source by Id ... 356
Data Source Permissions API ... 358
Enable permissions for a data source ... 358
Disable permissions for a data source ... 359
Get permissions for a data source ... 360
Add permission for a data source ... 361
Remove permission for a data source ... 362
External Group Synchronization API ... 362
Get external groups ... 362
Add external group ... 363
Remove external group ... 363
Folder API ... 364
Create folder ... 364
Update folder ... 365
Get all folders ... 367
Get folder by uid ... 367
Get folder by id ... 367
Delete folder by uid ... 369
Folder/Dashboard Search API ... 369
Search folders and dashboards ... 369
Folder Permissions API ... 371
Get permissions for a folder ... 371
Update permissions for a folder ... 372
Organization API ... 373
Get current organization ... 373
Get all users within the current organization ... 374
Get all users within the current organization (lookup) ... 374
Updates the given user ... 375
Deletes user in current organization ... 375
Update the current organization ... 376
Add user to the current organization ... 376
Playlist API ... 377
Search playlist ... 377
Get one playlist ... 377
Get playlist items ... 378
Get playlist dashboards ... 379
Create a playlist ... 379
Update a playlist ... 380
Delete a playlist ... 381
Preferences API ... 381
Get current user preferences ... 381
Update current user preferences ... 382
Get current org preferences ... 382
Update current org preferences ... 382
Snapshot API ... 383
Create new shapshot ... 383
Get list of snapshots ... 384
Get snapshot by key ... 385
Delete snapshot by key ... 386
Delete snapshot by deleteKey ... 386
Team API ... 387
Team search with pagination ... 387
Get team by Id ... 388
Add a team ... 388
Update team ... 389
Delete team by Id ... 389
Get team members ... 390
Add team member ... 391
Remove member from team ... 391
Get team preferences ... 392
Update team preferences ... 392
User API ... 393
Get teams that the user is a member of ... 393
Get list of snapshots ... 393
Unstar a dashboard ... 394
Get auth tokens of the actual user ... 394
Revoke an auth token of the actual user ... 395
Using Terraform for Grafana automation ... 395
Upgrade a workspace to Grafana Enterprise ... 397
Canceling Grafana Enterprise ... 399
Security ... 400
Data protection ... 400
Data protection in Amazon Managed Grafana ... 401
Identity and Access Management ... 401
Audience ... 402
Authenticating with identities ... 402
Managing access using policies ... 404
How Amazon Managed Grafana works with IAM ... 405
Identity-based policy examples ... 410
Troubleshooting ... 418
Cross-service confused deputy prevention ... 420
Amazon Managed Grafana permissions and policies for AWS data sources and notification channels ... 421
Service-managed permissions for a single account ... 421
Service-managed permissions for an organization ... 423
Customer-managed permissions ... 427
IAM permissions ... 428
Amazon Managed Grafana permissions ... 428
Compliance Validation ... 429
Resilience ... 429
Infrastructure Security ... 430
CloudTrail logs ... 430
Amazon Managed Grafana information in CloudTrail ... 430
Understanding Amazon Managed Grafana log file entries ... 431
Understanding Grafana API log file entries ... 434
Security best practices ... 446
Use short-lived API keys ... 446
Migrating from self-managed Grafana ... 446
Interface VPC endpoints ... 447
Using Amazon Managed Grafana API with interface VPC endpoints ... 447
Creating a VPC endpoint to make an AWS PrivateLink connection to Amazon Managed Grafana . 447 Controlling access to your Amazon Managed Grafana VPC endpoint with an endpoint policy ... 448
Service quotas ... 449
Document history ... 450
AWS glossary ... 451
What is Amazon Managed Grafana?
Amazon Managed Grafana is a fully managed and secure data visualization service that you can use to instantly query, correlate, and visualize operational metrics, logs, and traces from multiple sources.
Amazon Managed Grafana makes it easy to deploy, operate, and scale Grafana, a widely deployed data visualization tool that is popular for its extensible data support.
With Amazon Managed Grafana, you create logically isolated Grafana servers called workspaces. Then, you can create Grafana dashboards and visualizations to analyze your metrics, logs, and traces without having to build, package, or deploy any hardware to run your Grafana servers.
Amazon Managed Grafana manages the provisioning, setup, scaling, and maintenance of your logical Grafana servers so that you don't have to do these tasks yourself. Amazon Managed Grafana also provides built-in security features for compliance with corporate governance requirements, including single sign-on, data access control, and audit reporting.
Amazon Managed Grafana is integrated with AWS data sources that collect operational data, such as Amazon CloudWatch, Amazon OpenSearch Service, AWS X-Ray, AWS IoT SiteWise, Amazon Timestream, and Amazon Managed Service for Prometheus. Amazon Managed Grafana includes a permission provisioning feature for adding supported AWS services as data sources. Amazon Managed Grafana also supports many popular open-source, third-party, and other cloud data sources.
For user authentication and authorization, Amazon Managed Grafana can integrate with identity providers (IdPs) that support SAML 2.0 and also can integrate with AWS Single Sign-On.
Amazon Managed Grafana is priced per active user in a workspace. For information about pricing, see Amazon Managed Grafana Pricing.
Supported Regions
Amazon Managed Grafana currently supports the following Regions:
• US East (Ohio)
• US East (N. Virginia)
• US West (Oregon)
• Asia Pacific (Seoul)
• Asia Pacific (Singapore)
• Asia Pacific (Sydney)
• Asia Pacific (Tokyo)
• Europe (Frankfurt)
• Europe (Ireland)
• Europe (London)
Setting up
Complete the tasks in this section to get set up with AWS for the first time. If you already have an AWS account, skip ahead to Getting started with Amazon Managed Grafana (p. 16).
When you sign up for AWS, your AWS account automatically has access to all services in AWS, including Amazon Managed Grafana. However, you are charged only for the services that you use.
Get an AWS account and your root user credentials
To access AWS, you must sign up for an AWS account.
To sign up for an AWS account
1. Open https://portal.aws.amazon.com/billing/signup.
2. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.
Creating an IAM user
If your account already includes an IAM user with full AWS administrative permissions, you can skip this section.
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity.
That identity has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. When you sign in, enter the email address and password that you used to create the account.
Important
We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see Tasks that require root user credentials.
To create an administrator user for yourself and add the user to an administrators group (console)
1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.
NoteWe strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.
2. In the navigation pane, choose Users and then choose Add user.
3. For User name, enter Administrator.
4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.
5. (Optional) By default, AWS requires the new user to create a new password when first signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.
6. Choose Next: Permissions.
7. Under Set permissions, choose Add user to group.
8. Choose Create group.
9. In the Create group dialog box, for Group name enter Administrators.
10. Choose Filter policies, and then select AWS managed - job function to filter the table contents.
11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.
NoteYou must activate IAM user and role access to Billing before you can use the
AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.
12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.
13. Choose Next: Tags.
14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.
15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.
You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access management and Example policies.
Signing in as an IAM user
Sign in to the IAM console by choosing IAM user and entering your AWS account ID or account alias. On the next page, enter your IAM user name and your password.
Note
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose the sign-in link beneath the button to return to the main sign-in page. From there, you can enter your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
Creating IAM user access keys
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not use the AWS account root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself.
The only time that you can view or download the secret access key is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have
permissions to perform the required IAM actions. For more information, see Permissions required to access IAM resources in the IAM User Guide.
To create access keys for an IAM user
1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. Choose the name of the user whose access keys you want to create, and then choose the Security credentials tab.
4. In the Access keys section, choose Create access key.
5. To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes. Your credentials will look something like this:
• Access key ID: AKIAIOSFODNN7EXAMPLE
• Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
6. To download the key pair, choose Download .csv file. Store the keys in a secure location. You will not have access to the secret access key again after this dialog box closes.
Keep the keys confidential in order to protect your AWS account and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.
7. After you download the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.
Related topics
• What is IAM? in the IAM User Guide
• AWS security credentials in AWS General Reference
User authentication in Amazon Managed Grafana
Users are authenticated to use the Grafana console in an Amazon Managed Grafana workspace by single sign-on using your organization’s identity provider, instead of by IAM. Each workspace can use one or both of the following authentication methods:
• User credentials stored in identity providers (IdPs) that support Security Assertion Markup Language 2.0 (SAML 2.0)
• AWS Single Sign-On
For each of your workspaces, you can use SAML, AWS SSO, or both. If you begin by using one method, you can switch to using the other.
Topics
• Using SAML with your Amazon Managed Grafana workspace (p. 5)
• Using AWS SSO with your Amazon Managed Grafana workspace (p. 14)
Using SAML with your Amazon Managed Grafana workspace
SAML authentication support enables you to use your existing identity provider to offer single sign- on for logging into the Grafana console of your Amazon Managed Grafana workspaces. Rather than authenticating through IAM, SAML authentication for Amazon Managed Grafana lets you use third-party identity providers to log in, manage access control, search your data, and build visualizations. Amazon Managed Grafana supports identity providers that use the SAML 2.0 standard and have built and tested integration applications with Azure AD, CyberArk, Okta, OneLogin, and Ping Identity.
In the SAML authentication flow, an Amazon Managed Grafana workspace acts as the service provider (SP), and interacts with the IdP to obtain user information. For more information about SAML, see Security Assertion Markup Language.
You can map groups in your IdP to teams in the Amazon Managed Grafana workspace, and set fine- grained access permissions on those teams. You can also map organization roles that are defined in the IdP to roles in the Amazon Managed Grafana workspace. For example, if you have a Developer role defined in the IdP, you can map that role to the Grafana Admin role in the Amazon Managed Grafana workspace.
To sign in to the Amazon Managed Grafana workspace, a user visits the workspace's Grafana console home page and chooses Log in using SAML. The workspace reads the SAML configuration and redirects the user to the IdP for authentication. The user enters their user name and password in the IdP portal, and if they are a valid user, the IdP issues a SAML assertion and redirects the user back to the Amazon Managed Grafana workspace. Amazon Managed Grafana verifies that the SAML assertion is valid, and the user is signed in and can use the workspace.
Amazon Managed Grafana supports the following SAML 2.0 bindings:
• From the service provider (SP) to the identity provider (IdP):
• HTTP-POST binding
• HTTP-Redirect binding
• From the identity provider (IdP) to the service provider (SP):
• HTTP-POST binding
Amazon Managed Grafana supports signed and encrypted assertions, but does not support signed or encrypted requests.
Amazon Managed Grafana supports SP-initiated requests, and does not support IdP-initiated requests.
Assertion mapping
During the SAML authentication flow, Amazon Managed Grafana receives the assertion consumer service (ACS) callback. The callback contains all relevant information for the user being authenticated, embedded in the SAML response. Amazon Managed Grafana parses the response to create (or update) the user within its internal database.
When Amazon Managed Grafana maps the user information, it looks at the individual attributes within the assertion. You can think of these attributes as key-value pairs, although they contain more information than that.
Amazon Managed Grafana provides configuration options so that you can modify which keys to look at for these values.
You can use the Amazon Managed Grafana console to map the following SAML assertion attributes to values in Amazon Managed Grafana:
• For Assertion attribute role, specify the name of the attribute within the SAML assertion to use as the user roles.
• For Assertion attribute name, specify the name of the attribute within the SAML assertion to use for the user full "friendly" names for SAML users.
• For Assertion attribute login, specify the name of the attribute within the SAML assertion to use for the user sign-in names for SAML users.
• For Assertion attribute email, specify the name of the attribute within the SAML assertion to use for the user email names for SAML users.
• For Assertion attribute organization, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user organizations.
• For Assertion attribute groups, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user groups.
• For Allowed organizations, you can limit user access to only the users who are members of certain organizations in the IdP.
• For Editor role values, specify the user roles from your IdP who should all be granted the Editor role in the Amazon Managed Grafana workspace.
Required IAM permissions to create a workspace that uses SAML
When you create an Amazon Managed Grafana workspace that uses an IdP and SAML for authorization, you must be signed on to an IAM principal that has the AWSGrafanaAccountAdministrator policy attached.
Connecting to your identity provider
The following external identity providers have been tested with Amazon Managed Grafana and provide applications directly in their app directories or galleries to help you configure Amazon Managed Grafana with SAML.
Topics
• Azure Active Directory (p. 7)
• CyberArk (p. 8)
• Okta (p. 10)
• OneLogin (p. 11)
• Ping Identity (p. 12)
Azure Active Directory
Use the following steps to configure Amazon Managed Grafana to use Azure Active Directory as an identity provider. These steps assume that you have already created your Amazon Managed Grafana workspace and you have made a note of the workspace's ID, URLs, and Region.
Step 1: Steps to complete in Azure Active Directory
Complete the following steps in Azure Active Directory.
To set up Azure Active Directory as an identity provider for Amazon Managed Grafana 1. Sign in to the Azure console as an admin.
2. Choose Azure Active Directory.
3. Choose Enterprise Applications.
4. Search for Amazon Managed Grafana SAML2.0, and select it.
5. Select the application and choose Setup.
6. In the Azure Active Directory application configuration, choose Users and groups.
7. Assign the application to the users and groups that you want.
8. Choose Single sign-on.
9. Choose Next to get to the SAML configuration page.
10. Specify your SAML settings:
• For Identifier (Entity ID), paste in your Service provider identifier URL from the Amazon Managed Grafana workspace.
• For Reply URL (Assertion Consumer Service URL), paste in your Service provider reply from the Amazon Managed Grafana workspace.
• Make sure that Sign Assertion is selected and that Encrypt Assertion is not selected.
11. In the User Attributes & Claims section, make sure that these attributes are mapped. They are case sensitive.
• mail is set with user.userprincipalname.
• displayName is set with user.displayname.
• Unique User Identifier is set with user.userprincipalname.
• Add any other attributes that you would to pass. For more information about the attributes that you can pass to Amazon Managed Grafana in the assertion mapping, see Assertion mapping (p. 6).
12. Copy the SAML Metadata URL. You will use it in the Amazon Managed Grafana workspace configuration.
Step 2: Steps to complete in Amazon Managed Grafana
Complete the following steps in the Amazon Managed Grafana console.
To finishg setting up Azure Active Directory as an identity provider for Amazon Managed Grafana
1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. In the navigation pane, choose the menu icon.
3. Choose All workspaces.
4. Choose the name of the workspace.
5. In the Authentication tab, choose Setup SAML configuration.
6. Under Import the metadata, choose Upload or copy/paste and paste the Azure Active Directory URL that you copied from SAML Metadata URL in the previous section.
7. Under Assertion mapping, do the following:
• Make sure that I want to opt-out of assigning admins to my workspace is not selected.
NoteIf you choose I want to opt-out of assigning admins to my workspace, you won't be able to use the Amazon Managed Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Grafana APIs.
• Set Assertion attribute role to the attribute name that you chose.
• Set Admin role values to value corresponding to your admin users' roles.
• (Optional) If you changed the default attributes in your Azure Active Directory application, expand Additional settings - optional and then set the new attribute names.
By default, the Azure displayName attribute will be passed as the Name attribute and the Ping Identity mail attribute will be passed to both the email and login attributes.
8. Choose Save SAML Configuration.
CyberArk
Use the following steps to configure Amazon Managed Grafana to use CyberArk as an identity provider.
These steps assume that you have already created your Amazon Managed Grafana workspace and you have made a note of the workspace's ID, URLs, and Region.
Step 1: Steps to complete in CyberArk
Complete the following steps in CyberArk.
To set up CyberArk as an identity provider for Amazon Managed Grafana 1. Sign in to the CyberArk Identity Admin Portal.
2. Choose Apps, Web Apps.
3. Choose Add Web App.
4. Search for Amazon Managed Grafana for SAML2.0, and choose Add.
5. In the CyberArk application configuration, go to the Trust section.
6. Under Identity Provider Configuration, choose Metadata.
7. Choose Copy URL and save the URL to use later in these steps.
8. Under Service Provider Configuration, choose Manual Configuration.
9. Specify your SAML settings:
• For SP Entity ID, paste in your Service provider identifier URL from the Amazon Managed Grafana workspace.
• For Assertion Consumer Service (ACS) URL, paste in your Service provider reply from the Amazon Managed Grafana workspace.
• Set Sign Response Assertion to Assertion.
• Make sure that NameID Format is emailAddress.
10. Choose Save.
11. In the SAML Response section, make sure that the Amazon Managed Grafana attribute is in Application Name and that the CyberArk attribute is in Attribute Value. Then make sure that the following attributes are mapped. They are case sensitive.
• displayName is set with LoginUser.DisplayName.
• mail is set with LoginUser.Email.
• Add any other attributes that you would to pass. For more information about the attributes that you can pass to Amazon Managed Grafana in the assertion mapping, see Assertion mapping (p. 6).
12. Choose Save.
13. In the Permissions section, choose which users and groups to assign this application to, and then choose Save.
Step 2: Steps to complete in Amazon Managed Grafana
Complete the following steps in the Amazon Managed Grafana console.
To finishg setting up CyberArk as an identity provider for Amazon Managed Grafana 1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. In the navigation pane, choose the menu icon.
3. Choose All workspaces.
4. Choose the name of the workspace.
5. In the Authentication tab, choose Setup SAML configuration.
6. Under Import the metadata, choose Upload or copy/paste and paste the CyberArk URL that you copied in the previous procedure.
7. Under Assertion mapping, do the following:
• Make sure that I want to opt-out of assigning admins to my workspace is not selected.
NoteIf you choose I want to opt-out of assigning admins to my workspace, you won't be able to use the Amazon Managed Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Grafana APIs.
• Set Assertion attribute role to the attribute name that you chose.
• Set Admin role values to value corresponding to your admin users' roles.
• (Optional) If you changed the default attributes in your CyberArk application, expand Additional settings - optional and then set the new attribute names.
By default, the CyberA displayName attribute will be passed to the name attribute and the CyberArk mail attribute will be passed to both the email and login attributes.
8. Choose Save SAML Configuration.
Okta
Use the following steps to configure Amazon Managed Grafana to use Okta as an identity provider.
These steps assume that you have already created your Amazon Managed Grafana workspace and you have made a note of the workspace's ID, URLs, and Region.
Step 1: Steps to complete in Okta
Complete the following steps in Okta.
To set up Okta as an identity provider for Amazon Managed Grafana 1. Sign in to the Okta console as an admin.
2. In the left panel, choose Applications, Applications.
3. Choose Browse App Catalog and search for Amazon Managed Grafana.
4. Choose Amazon Managed Grafana and choose Add, Done.
5. Choose the application to start setting it up.
6. In the Sign On tab, choose Edit.
7. Under Advanced Sign-on Settings, enter your Amazon Managed Grafana workspace id and your Region in the Name Space and Region fields respectively. Your Amazon Managed Grafana workspace id and Region can be found in your Amazon Managed Grafana workspace url which is of the format workspace-id.grafana-workspace.Region.amazonaws.com.
8. Choose Save.
9. Under SAML 2.0, copy the URL for Identity Provider metadata. You will use this later in this procedure in the Amazon Managed Grafana console.
10. In the Assignments tab, choose the People and Groups that you want to be able to use Amazon Managed Grafana.
Step 2: Steps to complete in Amazon Managed Grafana
Complete the following steps in the Amazon Managed Grafana console.
To finish setting up Okta as an identity provider for Amazon Managed Grafana 1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. In the navigation pane, choose the menu icon.
3. Choose All workspaces.
4. Choose the name of the workspace.
5. In the Authentication tab, choose Complete Setup.
6. Under Import the meta data, choose Upload or copy/paste and paste the Okta URL that you copied in the previous procedure.
7. Under Assertion mapping, do the following:
• Make sure that I want to opt-out of assigning admins to my workspace is not selected.
NoteIf you choose I want to opt-out of assigning admins to my workspace, you won't be able to use the Amazon Managed Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Grafana APIs.
• Set Assertion attribute role to the attribute name that you chose.
• Set Admin role values to value corresponding to your admin users' roles.
• (Optional) If you changed the default attributes in your Okta application, expand Additional settings - optional and then set the new attribute names.
By default, the Okta displayName attribute will be passed to the name attribute and the Okta mail attribute will be passed to both the email and login attributes.
8. Choose Save SAML Configuration.
OneLogin
Use the following steps to configure Amazon Managed Grafana to use OneLogin as an identity provider.
These steps assume that you have already created your Amazon Managed Grafana workspace and you have made a note of the workspace's ID, URLs, and Region.
Step 1: Steps to complete in OneLogin
Complete the following steps in OneLogin.
To set up OneLogin as an identity provider for Amazon Managed Grafana 1. Sign in to the OneLogin portal as an administrator.
2. Choose Applications, Applications, Add app.
3. Search for Amazon Managed Service for Grafana.
4. Assign a Display name of your choice and choose Save.
5. Navigate to Configuration and enter the Amazon Managed Grafana workspace ID in Namespace, and enter the Region of your Amazon Managed Grafana workspace.
6. In the Configuration tab, enter your Amazon Managed Grafana workspace URL.
7. You can leave the adminRole parameter as the default No Default and populate it using the Rules tab, if an admin requires a corresponding value in AMG. In this example, the Assertion attribute role would be set to adminRole in Amazon Managed Grafana, with a value of true. You can point this value to any attribute in your tenant. Click the + to add and configure parameters to meet your organization's requirements.
8. Choose the Rules tab, choose Add Rule, and give your Rule a name. In the Conditions field (the if statement), we add Email contains [email address]. In the Actions field (the then statement), we select Set AdminRole in Amazon Managed Service and we select Macro in the Set adminRole to dropdown, with a value of true. Your organization may choose different rules to resolve different use cases.
9. Choose Save. Go to More Actions and choose Reapply entitlement mappings. You must reappy mappings any time that you create or update rules.
10. Make a note of the Issuer URL, which you will user later in the configuration in the Amazon Managed Grafana console. Then choose Save.
11. Choose the Access tab to assign the OneLogin roles that are to access Amazon Managed Grafana and select an app security policy.
Step 2: Steps to complete in Amazon Managed Grafana
Complete the following steps in the Amazon Managed Grafana console.
To finishg setting up OneLogin as an identity provider for Amazon Managed Grafana 1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. In the navigation pane, choose the menu icon.
3. Choose All workspaces.
4. Choose the name of the workspace.
5. In the Authentication tab, choose Setup SAML configuration.
6. Under Import the metadata, choose Upload or copy/paste and paste the OneLogin Issuer URL that you copied from the OneLogin console in the previous procedure.
7. Under Assertion mapping, do the following:
• Make sure that I want to opt-out of assigning admins to my workspace is not selected.
NoteIf you choose I want to opt-out of assigning admins to my workspace, you won't be able to use the Amazon Managed Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Grafana APIs.
• Set Assertion attribute role to the attribute name that you chose. The default value for OneLogin is adminRole.
• Set Admin role values to value corresponding to your admin users' roles.
• (Optional) If you changed the default attributes in your OneLogin application, expand Additional settings - optional and then set the new attribute names.
By default, the OneLogin displayName attribute will be passed to the name attribute and the OneLogin mail attribute will be passed to both the email and login attributes.
8. Choose Save SAML Configuration.
Ping Identity
Use the following steps to configure Amazon Managed Grafana to use Ping Identity as an identity provider. These steps assume that you have already created your Amazon Managed Grafana workspace and you have made a note of the workspace's ID, URLs, and Region.
Step 1: Steps to complete in Ping Identity
Complete the following steps in Ping Identity.
To set up Ping Identity as an identity provider for Amazon Managed Grafana 1. Sign in to the Ping Identity console as an admin.
2. Choose Applications.
3. Choose Add Application, Search Application Catalog.
4. Search for the Amazon Managed Grafana for SAML application, then choose it and choose Setup.
5. In the Ping Identity application, choose Next to get to the SAML configuration page. Then make the following SAML settings:
• For Assertion Consumer Service, paste in your Service provider reply URL from the Amazon Managed Grafana workspace.
• For Entity ID, paste in your Service provider identifier from the Amazon Managed Grafana workspace.
• Make sure that Sign Assertion is selected and that Encrypt Assertion is not selected.
6. Choose Continue to Next Step.
7. In SSO Attribute Mapping, make sure that the Amazon Managed Grafana attribute is in Application Attribute and that the Ping Identity attribute is in the Identity Bridge Attribute. Then make the following settings:
• mail must be Email (Work).
• displayName must be Display Name.
• SAML_SUBJECT must be Email (Work). And then for this attribute, choose Advanced, set the Name ID Format to send to SP to urn:oasis:names:tc:SAML:2.0:nameid-format:transient and choose Save.
• Add in any other attribute that you would like to pass.
• Add any other attributes that you would like to pass. For more information about the attributes that you can pass to Amazon Managed Grafana in the assertion mapping, see Assertion
mapping (p. 6).
8. Choose Continue to Next Step.
9. In Group Access, choose which groups to assign this application to.
10. Choose Continue to Next Step.
11. Copy the SAML Metadata URL which starts with https://admin- api.pingone.com/latest/
metadata/. You will use this later in the configuration.
12. Choose Finish.
Step 2: Steps to complete in Amazon Managed Grafana
Complete the following steps in the Amazon Managed Grafana console.
To finish setting up Ping Identity as an identity provider for Amazon Managed Grafana 1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. In the navigation pane, choose the menu icon.
3. Choose All workspaces.
4. Choose the name of the workspace.
5. In the Authentication tab, choose Setup SAML configuration.
6. Under Import the metadata, choose Upload or copy/paste and paste the Ping URL that you copied in the previous procedure.
7. Under Assertion mapping, do the following:
• Make sure that I want to opt-out of assigning admins to my workspace is not selected.
NoteIf you choose I want to opt-out of assigning admins to my workspace, you won't be able to use the Amazon Managed Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Grafana APIs.
• Set Assertion attribute role to the attribute name that you chose.
• Set Admin role values to value corresponding to your admin users' roles.
• (Optional) If you changed the default attributes in your Ping Identity application, expand Additional settings - optional and then set the new attribute names.
By default, the Ping Identity displayName attribute will be passed to the name attribute and the Ping Identity mail attribute will be passed to both the email and login attributes.
8. Choose Save SAML Configuration.
Using AWS SSO with your Amazon Managed Grafana workspace
Amazon Managed Grafana integrates with AWS SSO to provide identity federation for your workforce.
Using Amazon Managed Grafana and AWS SSO, users are redirected to their existing company directory to sign in with their existing credentials. Then, they are seamlessly signed in to their Amazon Managed Grafana workspace. This ensures that security settings such as password policies and two-factor authentication are enforced. Using AWS SSO does not impact your existing IAM configuration.
If you do not have an existing user directory or prefer not to federate, AWS SSO offers an integrated user directory that you can use to create users and groups for Amazon Managed Grafana. Amazon Managed Grafana does not support the use of IAM users and roles to assign permissions within an Amazon Managed Grafana workspace.
For more information about AWS SSO, see What is AWS Single Sign-On. For more information about getting started with AWS SSO, see Getting started.
To use AWS SSO, you must also have AWS Organizations activated for the account. If needed, Amazon Managed Grafana can activate Organizations for you when you create your first workspace that is configured to use AWS SSO.
Required permissions for scenarios using AWS SSO
This section explains the policies that are required for several scenarios for using Amazon Managed Grafana with AWS SSO.
Grafana administrator in a management account using AWS SSO
To grant an IAM user or an IAM role the permissions to create and manage Amazon Managed Grafana workspaces across an entire organization, and to enable dependencies such as AWS SSO, assign the AWSGrafanaAccountAdministrator, AWSSSOMasterAccountAdministrator and the AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.
If you want to use service-managed permissions when you create an Amazon Managed
Grafana workspace, the user who creates the workspace must also have the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions. These are required to use AWS CloudFormation StackSets to deploy policies that enable you to read data sources in the organization's accounts.
Important
Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.
To see the permissions granted to AWSGrafanaAccountAdministrator, see AWSGrafanaAccountAdministrator policy contents (p. 413)
Grafana administrator in a member account using AWS SSO
To grant permissions to create and manage Amazon Managed Grafana workspaces in the member account of an organization, assign the AWSGrafanaAccountAdministrator,
AWSSSOMemberAccountAdministrator and the AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.
If you want to use service-managed permissions when you create an Amazon Managed
Grafana workspace, the user who creates the workspace must also have the iam:CreateRole,
iam:CreatePolicy, and iam:AttachRolePolicy permissions. These are required to enable the user to read data sources in the account.
Important
Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.
To see the permissions granted to AWSGrafanaAccountAdministrator, see AWSGrafanaAccountAdministrator policy contents (p. 413)
Create and manage Amazon Managed Grafana workspaces and users in a single standalone account using AWS SSO
A standalone AWS account is an account that is not yet a member of an organization. For more information about organizations, see What is AWS Organizations?
To grant an IAM user or an IAM role permission to create and manage Amazon Managed Grafana workspaces and users in a standalone account, assign the AWSGrafanaAccountAdministrator, AWSSSOMasterAccountAdministrator, AWSOrganizationsFullAccess and
AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.
Important
Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.
To see the permissions granted to AWSGrafanaAccountAdministrator, see AWSGrafanaAccountAdministrator policy contents (p. 413)
Getting started with Amazon Managed Grafana
This tutorial helps you get started with Amazon Managed Grafana (Amazon Managed Grafana). Create your first workspace, and then connect to the Grafana console in that workspace.
A workspace is a logical Grafana server. You can have as many as five workspaces in each Region in your account.
Topics
• User authentication (p. 16)
• Necessary permissions (p. 16)
• Create your first workspace (p. 17)
User authentication
For user authentication, Amazon Managed Grafana supports the following options:
• User credentials stored in identity providers (IdPs), with authentication by Security Assertion Markup Language 2.0 (SAML 2.0)
• AWS Single Sign-On
SAML
If you use SAML, your users must already be created in an identity provider. Amazon Managed Grafana supports identity providers that support SAML 2.0. For more information, see Using SAML with your Amazon Managed Grafana workspace (p. 5).
AWS SSO
When you create a workspace and choose to use AWS SSO for authentication, Amazon Managed Grafana activates AWS SSO in your account if you are not already using it. For more information about AWS SSO, see What is AWS Single Sign-On.
To use AWS SSO with Amazon Managed Grafana, you must also have AWS Organizations activated in your account. If you don't have it activated already, Amazon Managed Grafana activates it when it activates AWS SSO. If Amazon Managed Grafana enables Organizations, it also creates an organization for you. For more information about Organizations, see What is AWS Organizations.
NoteTo create a workspace in an account that is already a member of an AWS organization, AWS SSO must be enabled in the management account of the organization. If you enabled AWS SSO in the management account before November 25, 2019, you must also enable AWS SSO- integrated applications in the management account. For more information, see AWS SSO- integrated applications.
Necessary permissions
To create a workspace that uses an IdP and SAML for authorization, you must be signed on to an IAM principal that has the AWSGrafanaAccountAdministrator policy attached.
To create your first workspace that uses AWS SSO for authorization, you must be signed on to an IAM principal that has at least the following policies attached:
• AWSGrafanaAccountAdministrator
• AWSSSOMemberAccountAdministrator
• AWSSSODirectoryAdministrator
For more information, see Create and manage Amazon Managed Grafana workspaces and users in a single standalone account using AWS SSO (p. 412).
Create your first workspace
Use the following steps to create your first workspace.
To create a workspace in Amazon Managed Grafana
1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. Choose Create workspace.
3. For Workspace name, enter a name for the workspace.
Optionally, enter a description for the workspace.
4. Choose Next.
5. For Authentication access, select AWS Single Sign-On (AWS SSO), Security Assertion Markup Language (SAML), or both.
• AWS SSO— If you select AWS SSO and you have not already enabled AWS Single Sign-On in your account, you are prompted to enable it by creating your first AWS SSO user. AWS SSO handles user management for access to Amazon Managed Grafana workspaces.
To enable AWS SSO, follow these steps:
a. Choose Create user.
b. Enter an email address, first name, and last name for the user, and choose Create user. For this tutorial, use the name and email address of the account that you want to use to try out Amazon Managed Grafana. You will receive an email message prompting you to create a password for this account for AWS SSO.
Important
The user that you create does not automatically have access to your Amazon Managed Grafana workspace. You provide the user with access to the workspace in the workspace details page in a later step.
• SAML— If you select SAML, you will complete the SAML setup after the workspace is created.
6. Choose Next.
7. For this first workspace, confirm that Service managed is selected for Permission type. This
selection enables Amazon Managed Grafana to automatically provision the permissions you need for the AWS data sources that you choose to use for this workspace.
8. For this tutorial, choose Current account.
9. (Optional) Select the data sources that you want to query in this workspace. For this getting started tutorial, you do not need to select any data sources. However, if you plan to use this workspace with any of the listed data sources, select them here.
Selecting data sources enables Amazon Managed Grafana to create AWS Identity and Access Management (IAM) policies for each of the data sources so that Amazon Managed Grafana has permission to read their data. This does not completely set up these services as data sources for the Grafana workspace. You can do that within the Grafana workspace console.
10. (Optional) If you want Grafana alerts from this workspace to be sent to an Amazon Simple Notification Service (Amazon SNS) notification channel, select Amazon SNS. This enables Amazon Managed Grafana to create an IAM policy to publish to the Amazon SNS topics in your account with TopicName values that start with grafana. This does not completely set up Amazon SNS as a notification channel for the workspace. You can do that within the Grafana console in the workspace.
11. Choose Next.
12. Confirm the workspace details, and choose Create workspace.
The workspace details page appears.
Initially, the Status is CREATING.
Important
Wait until the status is ACTIVE before doing either of the following:
• Completing the SAML setup, if you are using SAML.
• Assigning your AWS SSO users access to the workspace, if you are using AWS SSO.
You might need to refresh your browser to see the current status.
13. If you are using AWS SSO, do the following:
a. In the Authentication tab, choose Assign new user or group.
b. Select the check box next to the user that you want to grant workspace access to, and choose Assign user.
c. Select the check box next to the user, and choose Make admin.
Important
Assign at least one user as Admin for each workspace, in order to sign in to the Grafana workspace console to manage the workspace.
14. If you are using SAML, do the following:
a. In the Authentication tab, under Security Assertion Markup Language (SAML), choose Complete setup.
b. For Import method, do one of the following:
• Choose URL and enter the URL of the IdP metadata.
• Choose Upload or copy/paste. If you are uploading the metadata, choose Choose file and select the metadata file. Or, if you are using copy and paste, copy the metadata into Import the metadata.
c. For Assertion attribute role, enter the name of the SAML assertion attribute from which to extract role information.
d. For Admin role values, either enter the user roles from your IdP who should all be granted the Admin role in the Amazon Managed Grafana workspace, or select I want to opt-out of assigning admins to my workspace.
NoteIf you choose I want to opt-out of assigning admins to my workspace., you won't be able to use the Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make
e. (Optional) To enter additional SAML settings, choose Additional settings and do one or more the following. All of these fields are optional.
• For Assertion attribute name, specify the name of the attribute within the SAML assertion to use for the user full "friendly" names for SAML users.
• For Assertion attribute login, specify the name of the attribute within the SAML assertion to use for the user sign-in names for SAML users.
• For Assertion attribute email, specify the name of the attribute within the SAML assertion to use for the user email names for SAML users.
• For Login validity duration (in minutes), specify how long a SAML user's sign-in is valid before the user must sign in again.
• For Assertion attribute organization, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user organizations.
• For Assertion attribute groups, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user groups.
• For Allowed organizations, you can limit user access to only the users who are members of certain organizations in the IdP. Enter one or more organizations to allow, separating them with commas.
• For Editor role values, enter the user roles from your IdP who should all be granted the Editor role in the Amazon Managed Grafana workspace. Enter one or more roles, separated by commas.
NoteAny users that are not specifically assigned an Admin or Editor role will be assigned as Viewers.
f. Choose Save SAML configuration.
15. In the workspace details page, choose the URL displayed under Grafana workspace URL.
16. Choosing the workspace URL takes you to the landing page for the Grafana workspace console. Do one of the following:
• Choose Sign in with SAML, and enter the name and password.
• Choose Sign in with AWS SSO, and enter the email address and password of the user that you created earlier in this procedure. These credentials only work if you have responded to the email from Amazon Managed Grafana that prompted you to create a password for AWS SSO.
You are now in your Grafana workspace, or logical Grafana server. You can start adding data sources to query, visualize, and analyze data. For more information, see Working in your Grafana workspace (p. 27).
Managing workspaces, users, and policies
The topics in this section explain how to manage your workspaces, users, and policies in Amazon Managed Grafana.
Topics
• Creating a workspace (p. 20)
• Managing user and group access to Amazon Managed Grafana (p. 24)
• Managing permissions for data sources and notification channels (p. 25)
• Deleting a workspace (p. 26)
Creating a workspace
A workspace is a logical Grafana server. You can have as many as five workspaces in each Region in your account.
User authentication in a workspace
For user authentication, Amazon Managed Grafana supports the following options:
• User credentials stored in identity providers (IdPs), with authentication by Security Assertion Markup Language 2.0 (SAML 2.0)
• AWS Single Sign-On
SAML
If you use SAML, your users must already be created in an identity provider. Amazon Managed Grafana supports any identity provider that supports SAML 2.0. For more information, see Using SAML with your Amazon Managed Grafana workspace (p. 5).
AWS SSO
When you create a workspace and choose to use AWS SSO for authentication, Amazon Managed Grafana activates AWS SSO in your account if you are not already using it. For more information about AWS SSO, see What is AWS Single Sign-On.
To use AWS SSO with Amazon Managed Grafana, you must also have AWS Organizations activated in your account. If you don't have it activated already, Amazon Managed Grafana activates it when it activates AWS SSO. If Amazon Managed Grafana enables Organizations, it also creates an organization for you. For more information about Organizations, see What is AWS Organizations.
NoteTo create a workspace in an account that is already a member of an AWS organization, AWS SSO must be enabled in the management account of the organization. If you enabled AWS SSO in the management account before November 25, 2019, you must also enable AWS SSO-
integrated applications in the management account. For more information, see AWS SSO- integrated applications.
Necessary permissions
To create a workspace that uses an IdP and SAML for authorization, you must be signed on to an AWS Identity and Access Management (IAM) principal that has the AWSGrafanaAccountAdministrator policy attached.
To create your first workspace that uses AWS SSO for authorization, you must be signed on to an IAM principal that has at least the following policies attached:
• AWSGrafanaAccountAdministrator
• AWSSSOMemberAccountAdministrator
• AWSSSODirectoryAdministrator
For more information, see Create and manage Amazon Managed Grafana workspaces and users in a single standalone account using AWS SSO (p. 412).
To create a workspace, follow these steps.
To create a workspace in Amazon Managed Grafana
1. Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/.
2. Choose Create workspace.
3. For Workspace name, enter a name for the workspace.
Optionally, enter a description for the workspace.
4. Choose Next.
5. For Authentication access, select AWS Single Sign-On (AWS SSO), Security Assertion Markup Language (SAML), or both.
• AWS SSO — If you select AWS SSO and you have not already enabled AWS Single Sign-On in your account, you are prompted to enable it by creating your first AWS SSO user. AWS SSO handles user management for access to Amazon Managed Grafana workspaces.
To enable AWS SSO, follow these steps:
a. Choose Create user.
b. Enter an email address, first name, and last name for the user, and choose Create user. For this tutorial, use the name and email address of the account that you want to use to try out Amazon Managed Grafana. You will receive an email message prompting you to create a password for this account for AWS SSO.
Important
The user that you create does not automatically have access to your Amazon Managed Grafana workspace. You provide the user with access to the workspace in the workspace details page in a later step.
• SAML — If you select SAML, you will complete the SAML setup after the workspace is created.
6. Choose Service managed or Customer managed, and then choose Next.
If you choose Service managed, Amazon Managed Grafana automatically creates the IAM roles and provisions the permissions that you need for the AWS data sources in this account that you choose to use for this workspace.
If you want to manage these roles and permissions yourself, choose Customer managed.
If you are creating a workspace in a member account of an organization, to be able to choose Service managed the member account must be a delegated administrator account in an organization. For more information about delegated administrator accounts, see Register a delegated administrator.
7. If you chose Service managed, choose Current account to have Amazon Managed Grafana automatically create policies and permissions that allow it to read AWS data only in the current account.
If you are creating a workspace in the management account or a delegated administrator account in an organization, you can choose Organization to have Amazon Managed Grafana automatically create policies and permissions that allow it to read AWS data in other accounts in the organizational units that you specify. For more information about delegated administrator accounts, see Register a delegated administrator.
NoteCreating resources such as Amazon Managed Grafana workspaces in the management account of an organization is against AWS security best practices.
a. If you chose Organization, and you are prompted to enable AWS CloudFormation StackSets, choose Enable trusted access. Then, add the AWS Organizations organizational units (OUs) that you want Amazon Managed Grafana to read data from. Amazon Managed Grafana can then read data from all accounts in each OU that you choose.
b. If you chose Organization, choose Data sources and notification channels - optional.
8. Select the AWS data sources that you want to query in this workspace. Selecting data sources enables Amazon Managed Grafana to create IAM roles and permissions that allow Amazon Managed Grafana to read data from these sources. You must still add the data sources in the Grafana
workspace console.
9. (Optional) If you want Grafana alerts from this workspace to be sent to an Amazon Simple Notification Service (Amazon SNS) notification channel, select Amazon SNS. This enables Amazon Managed Grafana to create an IAM policy to publish to the Amazon SNS topics in your account with TopicName values that start with grafana. This does not completely set up Amazon SNS as a notification channel for the workspace. You can do that within the Grafana console in the workspace.
10. Choose Next.
11. Confirm the workspace details, and choose Create workspace.
The workspace details page appears.
Initially, the Status is CREATING.
Important
Wait until the status is ACTIVE before doing either of the following:
• Completing the SAML setup, if you are using SAML.
• Assigning your AWS SSO users access to the workspace, if you are using AWS SSO.
You might need to refresh your browser to see the current status.
12. If you are using AWS SSO, do the following:
a. In the Authentication tab, choose Assign new user or group.
b. Select the check box next to the user that you want to grant workspace access to, and choose Assign user.
c. Select the check box next to the user, and choose Make admin.
Important
Assign at least one user as Admin for each workspace, in order to sign in to the Grafana workspace console to manage the workspace.
13. If you are using SAML, do the following:
a. In the Authentication tab, under Security Assertion Markup Language (SAML), choose Complete setup.
b. For Import method, do one of the following:
• Choose URL and enter the URL of the IdP metadata.
• Choose Upload or copy/paste. If you are uploading the metadata, choose Choose file and select the metadata file. Or, if you are using copy and paste, copy the metadata into Import the metadata.
c. For Assertion attribute role, enter the name of the SAML assertion attribute from which to extract role information.
d. For Admin role values, either enter the user roles from your IdP who should all be granted the Admin role in the Amazon Managed Grafana workspace, or select I want to opt-out of assigning admins to my workspace.
NoteIf you choose I want to opt-out of assigning admins to my workspace., you won't be able to use the console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Amazon Managed Grafana APIs.
e. (Optional) To enter additional SAML settings, choose Additional settings and do one or more the following. All of these fields are optional.
• For Assertion attribute name, specify the name of the attribute within the SAML assertion to use for the user full "friendly" names for SAML users.
• For Assertion attribute login, specify the name of the attribute within the SAML assertion to use for the user sign-in names for SAML users.
• For Assertion attribute email, specify the name of the attribute within the SAML assertion to use for the user email names for SAML users.
• For Login validity duration (in minutes), specify how long a SAML user's sign-in is valid before the user must sign in again. The default is 1 day, and the maximum is 30 days.
• For Assertion attribute organization, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user organizations.
• For Assertion attribute groups, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user groups.
• For Allowed organizations, you can limit user access to only the users who are members of certain organizations in the IdP. Enter one or more organizations to allow, separating them with commas.
• For Editor role values, enter the user roles from your IdP who should all be granted the Editor role in the Amazon Managed Grafana workspace. Enter one or more roles, separated by commas.
f. Choose Save SAML configuration.
14. In the workspace details page, choose the URL displayed under Grafana workspace URL.
15. Choosing the workspace URL takes you to the landing page for the Grafana workspace console. Do one of the following:
• Choose Sign in with SAML, and enter the name and password.
• Choose Sign in with AWS SSO, and enter the email address and password of the user that you created earlier in this procedure. These credentials only work if you have responded to the email
