diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/main.tf b/terraform-modules/aws/helm/kube-prometheus-stack/main.tf
index 21c20d738..9d82bd751 100644
--- a/terraform-modules/aws/helm/kube-prometheus-stack/main.tf
+++ b/terraform-modules/aws/helm/kube-prometheus-stack/main.tf
@@ -1,3 +1,8 @@
+locals {
+  base_name                = "kube-prometheus-stack"
+  k8s_service_account_name = "kube-prometheus-stack-grafana"
+}
+
 resource "helm_release" "helm_chart" {
   chart            = "kube-prometheus-stack"
   namespace        = var.namespace
@@ -8,8 +13,40 @@ resource "helm_release" "helm_chart" {
   repository       = "https://prometheus-community.github.io/helm-charts"
 
   values = [
-    file("${path.module}/values.yaml"),
+    # templatefile("${path.module}/values.yaml", {
+    templatefile("./values_local.yaml", {
+      enable_grafana_aws_role = var.enable_iam_assumable_role_grafana
+      aws_account_id          = var.aws_account_id
+      role_name               = local.k8s_service_account_name
+    }),
     var.helm_values,
   ]
+}
+
+############################
+# An AWS assumable role for grafana
+#
+# Use case:
+# * If you want to give Grafana IAM permission to query AWS Cloudwatch logs
+#
+############################
+module "iam_assumable_role_grafana" {
+  count                         = var.enable_iam_assumable_role_grafana ? 1 : 0
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.6.0"
+  create_role                   = true
+  role_name                     = local.k8s_service_account_name
+  provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns              = [aws_iam_policy.grafana[0].arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}"]
+  tags                          = var.tags
+}
 
+# Policy doc: https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
+resource "aws_iam_policy" "grafana" {
+  count       = var.enable_iam_assumable_role_grafana ? 1 : 0
+  name_prefix = "${local.base_name}-${var.environment_name}"
+  description = "${local.base_name} for ${var.environment_name}"
+  policy      = var.aws_policy_grafana
+  tags        = var.tags
 }
diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/values.yaml b/terraform-modules/aws/helm/kube-prometheus-stack/values_local.yaml
similarity index 97%
rename from terraform-modules/aws/helm/kube-prometheus-stack/values.yaml
rename to terraform-modules/aws/helm/kube-prometheus-stack/values_local.yaml
index 6d67ea9bd..145ecf4c7 100644
--- a/terraform-modules/aws/helm/kube-prometheus-stack/values.yaml
+++ b/terraform-modules/aws/helm/kube-prometheus-stack/values_local.yaml
@@ -50,7 +50,10 @@ grafana:
   #   operator: "Equal"
   #   value: "my-app"
   #   effect: "NoSchedule"
-
+  %{ if enable_grafana_aws_role }
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::${aws_account_id}:role/${role_name}
+  %{ endif }
 
 ## Configuration for alertmanager
 ## ref: https://prometheus.io/docs/alerting/alertmanager/
diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf b/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf
index 088850096..667d9c0e9 100644
--- a/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf
+++ b/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf
@@ -27,3 +27,63 @@ variable helm_values {
   default     = ""
   description = "Additional helm values to pass in.  These values would override the default in this module."
 }
+
+variable "tags" {
+  type    = map(any)
+  default = {}
+}
+
+variable "aws_account_id" {
+  type        = string
+  default     = ""
+  description = "AWS account ID.  Used in creating IAM assumable role if enabled"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  default     = ""
+  description = "EKS cluster oidc issuer url"
+}
+
+variable "enable_iam_assumable_role_grafana" {
+  type        = bool
+  default     = false
+  description = "Enable the creation of an AWS IAM assumable role that is attached to the Grafana kubernetes service account.  Use case is to give Grafana access to AWS Cloudwatch log via an assumable role."
+}
+
+variable "environment_name" {
+  type        = string
+  default     = "env"
+  description = "An environment name to attach to some resources.  Optional only needed if you are going to create more than one of these items in an AWS account"
+}
+
+# Sample AWS IAM policy: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#managed-policies-cwl
+variable "aws_policy_grafana" {
+  type        = string
+  default     = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "logs:Describe*",
+                "logs:Get*",
+                "logs:List*",
+                "logs:StartQuery",
+                "logs:StopQuery",
+                "logs:TestMetricFilter",
+                "logs:FilterLogEvents",
+                "cloudwatch:ListMetrics",
+                "cloudwatch:GetMetricData",
+                "cloudwatch:GetMetricStatistics",
+                "cloudwatch:DescribeAlarmHistory",
+                "cloudwatch:DescribeAlarms"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+  description = "The AWS policy for the Grafana AWS role.  The default is a read only role to all Cloudwatch logs."
+}