Amazon Managed Service for Prometheus (AMP) Integration
Set up AWS SigV4
To enable Grafana to take advantage of Amazon Managed Service for Prometheus authentication and authorization capabilities, you will need to enable SigV4 authentication support in the Grafana data source by following these steps:
In the custom values.yaml file, add the following config under grafana:
grafana: env: AWS_SDK_LOAD_CONFIG: true GF_AUTH_SIGV4_AUTH_ENABLED: true
Do a helm upgrade for changes to take effect.
helm upgrade --create-namespace --install kfuse . -f <custom_values.yaml>
Create a IAM Query Role
Grafana will need to assume a role to query Amazon Managed Service for Prometheus. To do so, follow these steps:
Create an IAM role with the custom trust policy configuration below. Add the node-group (Node IAM Role ARN), in which Kloudfuse is running on, as the Principal on the Account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT-NUMBER:role/eksctl-XXXXX-nodegroup-ng-XXXXXX-NodeInstanceRole-XXXXXXXXXX" }, "Action": "sts:AssumeRole" } ] }
Attach the AmazonPrometheusQueryAccess policy to the role.
The node-group (Node IAM Role ARN), in which Kloudfuse is running on, also needs to have the trust relationship as below.
Configure Grafana Datasource
On the Kloudfuse Grafana sidebar, go to Home > Connections > Data Sources
Click “Add new data source” and choose “Prometheus”
For the Prometheus Server URL, specify the Endpoint - query URL displayed in the workspace summary page in the Amazon Managed Service for Prometheus console.
In the HTTP URL that you just specified, remove the /api/v1/query string that is appended to the URL, because the Prometheus data source will automatically append it.
The correct URL should look similar to https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
For the authentication method, select “SigV4”
Configure SigV4 Auth Details
For Authentication Provider choose AWS SDK Default.
For Assume Role ARN, provide the query role ARN created here.
For Default Region, choose the Region of your Amazon Managed Service for Prometheus workspace. This Region should match the Region contained in the URL that you listed.
Choose Save & Test. You should see the following message: “Data source is working”