Why is this needed:

Grafana currently does not support authenticating to AWS CloudWatch using a GCP service account identity, which is increasingly important in multi-cloud environments. Many teams run workloads on Google Cloud but monitor infrastructure in AWS

What would you like to be added:

• Native support in the CloudWatch data source (and underlying AWS SDK configuration) for OIDC-based IAM role assumption using GCP service accounts. This would involve:
• Accepting a GCP-issued OIDC token
• Using it to call AssumeRoleWithWebIdentity to obtain AWS credentials
• Leveraging those temporary credentials to access CloudWatch metrics

This should align with how AWS EKS supports IAM Roles for Service Accounts (IRSA), but for GCP workloads.

Who is this feature for?

• Multi-cloud teams who deploy workloads on GCP but rely on AWS services for monitoring/logging
• DevOps, SRE, and Security teams who need a secure, scalable, and cloud-native authentication mechanism
• Organizations following least-privilege and zero-trust principles who want to eliminate long-lived credentials from Grafana deployments