Using AWS SSO with your Amazon Managed Grafana workspace - Amazon Managed Grafana
Required permissions for scenarios using AWS SSO

Using AWS SSO with your Amazon Managed Grafana workspace

Amazon Managed Grafana integrates with AWS SSO to provide identity federation for your workforce. Using Amazon Managed Grafana and AWS SSO, users are redirected to their existing company directory to sign in with their existing credentials. Then, they are seamlessly signed in to their Amazon Managed Grafana workspace. This ensures that security settings such as password policies and two-factor authentication are enforced. Using AWS SSO does not impact your existing IAM configuration.

If you do not have an existing user directory or prefer not to federate, AWS SSO offers an integrated user directory that you can use to create users and groups for Amazon Managed Grafana. Amazon Managed Grafana does not support the use of IAM users and roles to assign permissions within an Amazon Managed Grafana workspace.

For more information about AWS SSO, see What is AWS Single Sign-On. For more information about getting started with AWS SSO, see Getting started.

To use AWS SSO, you must also have AWS Organizations activated for the account. If needed, Amazon Managed Grafana can activate Organizations for you when you create your first workspace that is configured to use AWS SSO.

Required permissions for scenarios using AWS SSO

This section explains the policies that are required for several scenarios for using Amazon Managed Grafana with AWS SSO.

Grafana administrator in a management account using AWS SSO

To grant an IAM user or an IAM role the permissions to create and manage Amazon Managed Grafana workspaces across an entire organization, and to enable dependencies such as AWS SSO, assign the AWSGrafanaAccountAdministrator, AWSSSOMasterAccountAdministrator and the AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.

If you want to use service-managed permissions when you create an Amazon Managed Grafana workspace, the user who creates the workspace must also have the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions. These are required to use AWS CloudFormation StackSets to deploy policies that enable you to read data sources in the organization's accounts.

Important

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.

To see the permissions granted to AWSGrafanaAccountAdministrator, see AWS managed policy: AWSGrafanaAccountAdministrator

Grafana administrator in a member account using AWS SSO

To grant permissions to create and manage Amazon Managed Grafana workspaces in the member account of an organization, assign the AWSGrafanaAccountAdministrator, AWSSSOMemberAccountAdministrator and the AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.

If you want to use service-managed permissions when you create an Amazon Managed Grafana workspace, the user who creates the workspace must also have the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions. These are required to enable the user to read data sources in the account.

Important

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.

To see the permissions granted to AWSGrafanaAccountAdministrator, see AWS managed policy: AWSGrafanaAccountAdministrator

Create and manage Amazon Managed Grafana workspaces and users in a single standalone account using AWS SSO

A standalone AWS account is an account that is not yet a member of an organization. For more information about organizations, see What is AWS Organizations?

To grant an IAM user or an IAM role permission to create and manage Amazon Managed Grafana workspaces and users in a standalone account, assign the AWSGrafanaAccountAdministrator, AWSSSOMasterAccountAdministrator, AWSOrganizationsFullAccess and AWSSSODirectoryAdministrator policies to that IAM user or IAM role. Additionally, to upgrade an Amazon Managed Grafana workspace to Grafana Enterprise, a user must have the AWSMarketplaceManageSubscriptions IAM policy or the equivalent permissions.

Important

Granting a user the iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy permissions gives that user full administrative access to your AWS account. For example, a user with these permissions can create a policy that has full permissions for all resources, and attach that policy to any role. Be very careful about who you grant these permissions to.

To see the permissions granted to AWSGrafanaAccountAdministrator, see AWS managed policy: AWSGrafanaAccountAdministrator