I have the following resources in Account A:

• kubernetes service account
• service account has annotation for an IAM role within Account A
• IAM Role has allow action for sts:AssumeRole of the Role in Account B

Account B has the following:

• your CloudFormation template with principal set to IAM Role from Account A

I provided the External ID and new IAM Role's ARN from Account B into Grafana that is running within Account A and I still receive the following

User: arn:aws:sts::<accountA>:assumed-role/monitoring-role/<session> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<AccountB>:role/monitoring-role-dev

Have you gotten this to work from EKS?

There are 2 aws accounts in one grafana is running AWS Account A and on the other cloudwatch service is there Account B.

I logged in the account B and ran the cloudformation template and got the role arn and the external id , then I open the grafana GUI and pasted the same but got the error.

1. CloudWatch metrics query failed: AccessDenied: User: arn:aws:sts::accounta:assumed-role/svc-cha-grafana-pre-live-grafana-cloudwatch-ro/i-04b932bc0fe364205 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::accountb:role/govind-GrafanaRole-QD4MDTU0YDPT status code: 403, request id: 18c8f5d4-bb2e-40dd-88d2-62ca4fd3a703

do I have to do something in the account a too.