Creating a dashboard IAM role
With Amazon IoT TwinMaker, you can control data access on your Grafana dashboards. Grafana dashboard users should have different permission scopes to view data, and in some cases, write data. For example, an alarm operator might not have permission to view videos, while an admin has permission for all resources. Grafana defines the permissions through datasources, where credentials and an IAM role are provided. The Amazon IoT TwinMaker datasource fetches Amazon credentials with permissions for that role. If an IAM role isn't provided, Grafana uses the scope of the credentials, which can't be reduced by Amazon IoT TwinMaker.
To use your Amazon IoT TwinMaker dashboards in Grafana, you create an IAM role and attach policies. You can use the following templates to help you create these policies.
Create an IAM policy
Create an IAM policy called YourWorkspaceIdDashboardPolicy
- 1. No video permissions policy
If you don't want to use the Grafana Video Player panel
, create the policy using the following template. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucketName/*", "arn:aws:s3:::bucketName" ] }, { "Effect": "Allow", "Action": [ "iottwinmaker:Get*", "iottwinmaker:List*" ], "Resource": [ "arn:aws:iottwinmaker:region:accountId:workspace/workspaceId", "arn:aws:iottwinmaker:region:accountId:workspace/workspaceId/*" ] }, { "Effect": "Allow", "Action": "iottwinmaker:ListWorkspaces", "Resource": "*" } ] }An Amazon S3 bucket is created for each workspace. It contains the 3D models and scenes to view on a dashboard. The SceneViewer
panel loads items from this bucket. - 2. Scoped down video permissions policy
To limit access on the Video Player panel in Grafana, group your Amazon IoT Greengrass Edge Connector for Amazon Kinesis Video Streams resources by tags. For more information about scoping down permissions for your video resources, see Creating an Amazon IoT TwinMaker video player policy.
- 3. All video permissions
If you don’t want to group your videos, you can make them all accessible from the Grafana Video Player. Anyone with access to a Grafana workspace is able to play video for any stream in your account, and have read only access to any Amazon IoT SiteWise asset. This includes any resources that are created in the future.
Create the policy with the following template:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucketName/*", "arn:aws:s3:::bucketName" ] }, { "Effect": "Allow", "Action": [ "iottwinmaker:Get*", "iottwinmaker:List*" ], "Resource": [ "arn:aws:iottwinmaker:region:accountId:workspace/workspaceId", "arn:aws:iottwinmaker:region:accountId:workspace/workspaceId/*" ] }, { "Effect": "Allow", "Action": "iottwinmaker:ListWorkspaces", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kinesisvideo:GetDataEndpoint", "kinesisvideo:GetHLSStreamingSessionURL" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetInterpolatedAssetPropertyValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotsitewise:BatchPutAssetPropertyValue" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/EdgeConnectorForKVS": "*workspaceId*" } } } ] }This policy template provides the following permissions:
Read only access to an S3 bucket to load a scene.
Read only access to Amazon IoT TwinMaker for all entities and components in a workspace.
Read only access to stream all Kinesis Video Streams videos in your account.
Read only access to the property value history of all Amazon IoT SiteWise assets in your account.
Data ingestion into any property of a Amazon IoT SiteWise asset tagged with the key
EdgeConnectorForKVSand the valueworkspaceId.
Tagging your camera Amazon IoT SiteWise asset request video upload from edge
Using the Video Player in Grafana , users can manually request that video is
uploaded from the edge cache to Kinesis Video Streams. You can turn on this feature for any Amazon IoT SiteWise asset
that's associated with your Amazon IoT Greengrass Edge Connector for Amazon Kinesis Video Streams and that is tagged with the
key EdgeConnectorForKVS.
The tag value can be a list of workspaceIds delimited by any of the following
characters: . : + = @ _ / -. For example, if you want to use an Amazon IoT SiteWise asset
associated with an Amazon IoT Greengrass Edge Connector for Amazon Kinesis Video Streams across Amazon IoT TwinMaker workspaces, you can
use a tag that follows this pattern: WorkspaceA/WorkspaceB/WorkspaceC. The
Grafana plugin enforces that the Amazon IoT TwinMaker workspaceId is used to group Amazon IoT SiteWise asset data
ingestion.
Add more permissions to your dashboard policy
The Amazon IoT TwinMaker Grafana plugin uses your authentication provider to call AssumeRole on the dashboard role you create. Internally, the plugin restricts the highest scope of permissions you have access to by using a session policy in the AssumeRole call. For more information about session policies, see Session policies.
This is the maximum permissive policy you can have on your dashboard role for an Amazon IoT TwinMaker workspace:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucketName/*", "arn:aws:s3:::bucketName" ] }, { "Effect": "Allow", "Action": [ "iottwinmaker:Get*", "iottwinmaker:List*" ], "Resource": [ "arn:aws:iottwinmaker:region:accountId:workspace/workspaceId", "arn:aws:iottwinmaker:region:accountId:workspace/workspaceId/*" ] }, { "Effect": "Allow", "Action": "iottwinmaker:ListWorkspaces", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kinesisvideo:GetDataEndpoint", "kinesisvideo:GetHLSStreamingSessionURL" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetInterpolatedAssetPropertyValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotsitewise:BatchPutAssetPropertyValue" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/EdgeConnectorForKVS": "*workspaceId*" } } } ] }
If you add statements that Allow more permissions, they won't work on
the Amazon IoT TwinMaker plugin. This is by design to ensure the minimum necessary permissions are used
by the plugin.
However, you can scope down permissions further. For information, see Creating an Amazon IoT TwinMaker video player policy.
Creating the Grafana Dashboard IAM role
In the IAM Console, create an IAM role called
YourWorkspaceIdDashboardRoleYourWorkspaceIdDashboardPolicy
To edit the trust policy of the dashboard role, you must give permission for the
Grafana authentication provider to call AssumeRole on the dashboard role.
Update the trust policy with the following template:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "ARN of Grafana authentication provider" }, "Action": "sts:AssumeRole" } ] }
For more information about creating a Grafana environment and finding your authentication provider, see Setting up your Grafana environment.