Cross-cloud access, with no static keys
Grafana runs on AWS but reads metrics from Google Cloud, and it
does so without a single stored credential. At startup the
container writes a GCP external account credential file. The Google
SDK then trades an AWS GetCallerIdentity token for a
short-lived GCP access token through a Workload Identity Pool.
The Lambda execution role is bound to a GCP service account with monitoring.viewer, so the AWS identity alone unlocks GCP metrics. Nothing to rotate, nothing to leak.
AWS Lambda role
└─ STS GetCallerIdentity token
└─ GCP Workload Identity Pool
└─ short-lived access token
└─ GCP service account (monitoring.viewer)
└─ Cloud Monitoring API