How do I troubleshoot errors with cross-account dashboard sharing in CloudWatch?

Last updated: 2022-05-05

I want to share my Amazon CloudWatch dashboard with another AWS account using cross-account dashboard sharing. How can I troubleshoot and resolve errors I receive when using cross-account dashboard sharing?

Short description

You can create cross-account or cross-Region dashboards to share your CloudWatch data with multiple AWS accounts and across multiple AWS Regions. There are a number of reasons that you might run into issues when sharing a dashboard created in one account with another account using Account or Organization IDs. You might experience one of the following issues:

  • The monitoring account user can't view or select the Account ID in the sharing account to view the dashboard.
  • The monitoring user receives an error similar to the following when accessing the dashboard due to permissions issues in the sharing account:
    • Failed to retrieve alarms errors
    • Resource groups could not be retrieved errors
    • Unauthorized user errors

Resolution

In these examples, one account is sharing a dashboard with another account using Account IDs or Organization IDs. The sharing account has the ID 111111111111. The monitoring account has the account ID 999999999999.

Issues viewing the Account ID to view a dashboard from a monitoring

To view and select the dashboard that's being shared, you must enable an account selector for every AWS Identity and Access Management (IAM) user in the monitoring account. Account ID selectors are only visible for IAM users who have enabled an account selector in their CloudWatch settings. For more information on enabling an account selector in CloudWatch, see Enabling cross-account functionality in CloudWatch.

Errors received when accessing custom dashboards from a monitoring account

You might encounter an errors when you attempt to access a custom dashboard from a monitoring account.

  • When accessing the Overview page in the CloudWatch console:

    "Failed to retrieve alarms ; You don't have permissions to perform the following operations: CloudWatch:DescribeAlarms. Contact your administrator if you need help. If you are an administrator, you can provide permissions for your users or groups by creating IAM policies."

  • When accessing the cross service dashboard from shared accounts::

    "Unable to select any Resource Group in the "Filter by resource group" dropdown. It errs out with : "Resource groups could not be retrieved"

  • When opening a custom dashboard from a shared account:

    "User: "arn:aws:sts::999999999999:assumed-role/AWSServiceRoleForCloudWatchCrossAccount/CloudWatchConsole is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/CloudWatch-CrossAccountSharingRole"

    or

    "User: arn:aws:sts::999999999999:assumed-role/CloudWatch-CrossAccountSharingRole/CloudWatchConsole is not authorized to perform: cloudwatch:ListDashboards on resource: arn:aws:cloudwatch::111111111111:dashboard/* because no identity-based policy allows the cloudwatch:ListDashboards action"

These errors occur because there are permissions issues in the role that was created in the sharing account. Be sure that the sharing account follows these criteria:

  • The CloudWatch-CrossAccountSharingRole is present.
  • The sharing account has the correct trust policies, as detailed in Enabling cross-account functionality in CloudWatch.
  • The CloudWatch-CrossAccountSharing role has these policies attached:
    • CloudWatchReadOnlyAccess
    • CloudWatchAutomaticDashboardsAccess - This policy is missing if you cleared the Include CloudWatch automatic dashboards option during dashboard sharing.
    • AWSXrayReadOnlyAccess - This policy is missing if you cleared the Include X-Ray read-only access for ServiceLens option during dashboard sharing.

Limit users from a monitoring account to access specific dashboards

To list all dashboards from cross-account dashboards, use the ListDashboards API call. However, the ListDashboards API doesn't support resource-specific permissions. But the GetDashboard API call does support resource-specific permissions, so you can limit the dashboards that can be described or opened across accounts.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "cloudwatch:GetDashboard",
      "Resource": "arn:aws:cloudwatch::111111111111:dashboard/dashboard-name"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetInsightRuleReport",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "cloudwatch:ListTagsForResource",
        "cloudwatch:ListDashboards",
        "logs:Get*",
        "logs:List*",
        "logs:StartQuery",
        "logs:StopQuery",
        "logs:Describe*",
        "logs:TestMetricFilter",
        "logs:FilterLogEvents",
        "sns:Get*",
        "sns:List*"
      ],
      "Resource": "*"
    }
  ]
}

After running this command, you can list all dashboards. But, if you try to open a dashboard that isn't mentioned in this policy, you see an error such as:

User: arn:aws:sts::111111111111:assumed-role/CloudWatch-CrossAccountSharingRole/CloudWatchConsole is not authorized to perform: cloudwatch:GetDashboard on resource: arn:aws:cloudwatch::111111111111:dashboard/test

Issues launching CloudFormationStack to create the required CloudWatch-CrossAccountSharingRole in the sharing account

Be sure that you have these policies associated with the IAM role in the sharing account when you use cross-account dashboard sharing:

  • AWSCloudFormationFullAccess
  • IAMFullAccess

These permissions allow you to launch the required CloudFormationStack API to create the IAM roles you need for cross-account dashboard sharing.

Use Terraform/CloudFormation/AWS CLI to create cross-account dashboard sharing setup

When you set up a sharing account to use cross-account functions, CloudWatch deploys an AWS CloudFormation template. Convert this CloudFormation template into a corresponding Terraform template. This allows you to enable cross-account data sharing.

To allow your monitoring account to view cross-account data in CloudWatch, enable an account selector using the console. This is a per-user setting and isn't managed at account level. For more information on configuring this setting, see Enabling cross-account functionality in CloudWatch.


Did this article help?


Do you need billing or technical support?