Amazon Managed Service for Prometheus (AMP) Integration

Set up AWS SigV4

To enable Grafana to take advantage of Amazon Managed Service for Prometheus authentication and authorization capabilities, you will need to enable SigV4 authentication support in the Grafana data source by following these steps:

  1. In the custom values.yaml file, add the following config under grafana:

    grafana: env: AWS_SDK_LOAD_CONFIG: true GF_AUTH_SIGV4_AUTH_ENABLED: true
  2. Do a helm upgrade for changes to take effect.

    helm upgrade --create-namespace --install kfuse . -f <custom_values.yaml>

Create a IAM Query Role

Grafana will need to assume a role to query Amazon Managed Service for Prometheus. To do so, follow these steps:

  1. Create an IAM role with the custom trust policy configuration below. Add the node-group (Node IAM Role ARN), in which Kloudfuse is running on, as the Principal on the Account.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT-NUMBER:role/eksctl-XXXXX-nodegroup-ng-XXXXXX-NodeInstanceRole-XXXXXXXXXX" }, "Action": "sts:AssumeRole" } ] }
  2. Attach the AmazonPrometheusQueryAccess policy to the role.

  3. The node-group (Node IAM Role ARN), in which Kloudfuse is running on, also needs to have the trust relationship as below.

Configure Grafana Datasource

  1. On the Kloudfuse Grafana sidebar, go to Home > Connections > Data Sources

 

image-20240729-224559.png
  1. Click “Add new data source” and choose “Prometheus”

  2. For the Prometheus Server URL, specify the Endpoint - query URL displayed in the workspace summary page in the Amazon Managed Service for Prometheus console.

  3. In the HTTP URL that you just specified, remove the /api/v1/query string that is appended to the URL, because the Prometheus data source will automatically append it.

    The correct URL should look similar to https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

  4. For the authentication method, select “SigV4”

image-20240729-224906.png
  1. Configure SigV4 Auth Details

    1. For Authentication Provider choose AWS SDK Default.

    2. For Assume Role ARN, provide the query role ARN created here.

    3. For Default Region, choose the Region of your Amazon Managed Service for Prometheus workspace. This Region should match the Region contained in the URL that you listed.

    4. Choose Save & Test. You should see the following message: “Data source is working”