Cloudwatch: Add Documentation on Temporary Credentials

[sarahzinger]

What is this feature?

Documenting our new Temporary Credentials feature currently in Private Preview in Grafana Cloud

Why do we need this feature?

Currently all Grafana Cloud customers who want to access the CloudWatch Data source are required to create and rotate Secret and Access keys for all of their CloudWatch Datasource instances in Grafana, which can sometimes be a bit of a chore/pain point.

This feature instead allows customers to create IAM Roles that permit the Grafana Account to assume with STS. Grafana will then get temporary credentials to access customer data.

Who is this feature for?

Grafana Cloud Customers

Please check that:

• It works as expected from a user's perspective.
• If this is a pre-GA feature, it is behind a feature toggle.
• The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

[imatwawana]

Thanks for the contribution! I've reviewed the What's new and made a number of edits to the AWS docs, though for the data source docs it's mostly for styling. Once we've sorted out changes from this round of review, I'll tag in our data sources writer to do another pass since I'd like to get her opinion on the data source documentation. Please tag me for review again when you're ready for me to take another look. Also, make sure to view from the Files tab of the PR to ensure you catch all the suggestions.

[imatwawana]

A couple questions:

• I'm wondering if we should define "STS"? I don't know what it means so maybe some of our readers might not know that acronym right away.
• I'm not sure if you're talking about "assume role" as a feature or if you're specifically talking about the UI setting. I've treated it as a small "f" feature here and put it all in lower case. If you mean the UI setting, let me know as that should be made clearer and styled differently.

[sarahzinger]

Realizing I didn't respond to this comment, sorry!

Spelled out STS, although like many aws acronyms it's hard to say if people are more familiar with the acronym or what it stands for haha. I think people who concern themselves with aws and auth will be pretty familar it's not that unique to grafana or anything.

I'm not sure I totally follow the second question.
Maybe this helps?

There's always been an assume role option available that looks like this:

Users have been able to have their primary aws credentials assume a role for a long time. I think this was primarily used in OSS and On-Prem environments and mostly using the aws-sdk which would allow them to attach credentials directly to whatever machine was running Grafana (like EC2). That said it has also possible to use Assume role in cloud, they would just also need to provide secret and access keys first:

which kind of takes away from some of the main benefits of using an iam role in the first place.

So now we have a new feature that we're calling Grafana Assume Role, that lets Grafana Cloud users specify an ARN without giving us secret keys (kind of like the AWS SDK Default option above)

The ARN field doesn't change but the authentication provider does.

I know this is super confusing because it's all called arn assume role haha, so I'm trying to make it more distinct/understandable

[imatwawana]

Thanks for the clarification! To my mind, based on your explanation and our style guidelines, the term should just be plain text except when we're referencing it specifically in the UI (then it's bold and capitalized as it is in the UI; which I've done in one instance in the docs). As for the capitalization, I'm iffy. @lwandz13, as this is your area, I'll leave the final decision on that to you, but I've made suggestions for it to remove the code formatting on the term in the PR and you can take or leave those suggestions as you see fit.

[imatwawana]

This is looking solid! I've left a couple questions and now tagging @lwandz13 for review. @lwandz13, I wasn't 100% sure about the formatting of the Grafana Assume Role in the CloudWatch docs, so I'm leaving that up to you. I've done a general copyedit already, but you may find stuff I've missed. I'll take one last look when you're finished reviewing.

[imatwawana]

This is good to go for me! Just waiting on Larissa's review.