feat: add accountId parameter to CloudWatch tools for cross-account monitoring (#616)

Genry1 · claude · web-flow · commit 1d40a712cb08 · 2026-03-03T21:23:59.000Z
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/tools/cloudwatch.go b/tools/cloudwatch.go
@@ -36,6 +36,7 @@ type CloudWatchQueryParams struct {
 	Start         string            `json:"start,omitempty" jsonschema:"description=Start time. Formats: 'now-1h'\\, '2026-02-02T19:00:00Z'\\, '1738519200000' (Unix ms). Default: now-1h"`
 	End           string            `json:"end,omitempty" jsonschema:"description=End time. Formats: 'now'\\, '2026-02-02T20:00:00Z'\\, '1738522800000' (Unix ms). Default: now"`
 	Region        string            `json:"region" jsonschema:"required,description=AWS region (e.g. us-east-1)"`
+	AccountId     string            `json:"accountId,omitempty" jsonschema:"description=AWS account ID for cross-account monitoring. Specify an account ID to query metrics from a specific source account\\, or 'all' to query all accounts the monitoring account is permitted to query. Only relevant when using a CloudWatch monitoring account datasource."`
 }
 
 // CloudWatchQueryResult represents the result of a CloudWatch query
@@ -143,26 +144,30 @@ func (c *cloudWatchClient) query(ctx context.Context, args CloudWatchQueryParams
 	}
 
 	// Build the query payload
-	payload := map[string]interface{}{
-		"queries": []map[string]interface{}{
-			{
-				"datasource": map[string]string{
-					"uid":  args.DatasourceUID,
-					"type": CloudWatchDatasourceType,
-				},
-				"refId":      "A",
-				"type":       "timeSeriesQuery",
-				"namespace":  args.Namespace,
-				"metricName": args.MetricName,
-				"dimensions": dimensions,
-				"statistic":  statistic,
-				"period":     strconv.Itoa(period),
-				"region":     region,
-				"matchExact": true,
-			},
+	query := map[string]interface{}{
+		"datasource": map[string]string{
+			"uid":  args.DatasourceUID,
+			"type": CloudWatchDatasourceType,
 		},
-		"from": strconv.FormatInt(from.UnixMilli(), 10),
-		"to":   strconv.FormatInt(to.UnixMilli(), 10),
+		"refId":      "A",
+		"type":       "timeSeriesQuery",
+		"namespace":  args.Namespace,
+		"metricName": args.MetricName,
+		"dimensions": dimensions,
+		"statistic":  statistic,
+		"period":     strconv.Itoa(period),
+		"region":     region,
+		"matchExact": true,
+	}
+
+	if args.AccountId != "" {
+		query["accountId"] = args.AccountId
+	}
+
+	payload := map[string]interface{}{
+		"queries": []map[string]interface{}{query},
+		"from":    strconv.FormatInt(from.UnixMilli(), 10),
+		"to":      strconv.FormatInt(to.UnixMilli(), 10),
 	}
 
 	payloadBytes, err := json.Marshal(payload)
@@ -375,7 +380,9 @@ Time formats: 'now-1h', '2026-02-02T19:00:00Z', '1738519200000' (Unix ms)
 
 Common namespaces: AWS/EC2, AWS/ECS, AWS/RDS, AWS/Lambda, ECS/ContainerInsights
 
-Example dimensions: ECS: {ClusterName, ServiceName}, EC2: {InstanceId}`,
+Example dimensions: ECS: {ClusterName, ServiceName}, EC2: {InstanceId}
+
+Cross-account monitoring: Use accountId to query metrics from a specific source account (e.g. '123456789012') or 'all' to query all linked accounts. Only applicable when using a CloudWatch monitoring account datasource.`,
 	queryCloudWatch,
 	mcp.WithTitleAnnotation("Query CloudWatch"),
 	mcp.WithIdempotentHintAnnotation(true),
@@ -386,6 +393,7 @@ Example dimensions: ECS: {ClusterName, ServiceName}, EC2: {InstanceId}`,
 type ListCloudWatchNamespacesParams struct {
 	DatasourceUID string `json:"datasourceUid" jsonschema:"required,description=The UID of the CloudWatch datasource"`
 	Region        string `json:"region" jsonschema:"required,description=AWS region (e.g. us-east-1)"`
+	AccountId     string `json:"accountId,omitempty" jsonschema:"description=AWS account ID for cross-account monitoring. Specify an account ID to filter namespaces from a specific source account\\, or 'all' for all linked accounts."`
 }
 
 // cloudWatchResourceItem represents an item returned by CloudWatch resource APIs
@@ -444,6 +452,9 @@ func listCloudWatchNamespaces(ctx context.Context, args ListCloudWatchNamespaces
 	if args.Region != "" {
 		params.Set("region", args.Region)
 	}
+	if args.AccountId != "" {
+		params.Set("accountId", args.AccountId)
+	}
 
 	resourceURL := client.baseURL + "/api/datasources/uid/" + args.DatasourceUID + "/resources/namespaces"
 	if len(params) > 0 {
@@ -477,7 +488,7 @@ func listCloudWatchNamespaces(ctx context.Context, args ListCloudWatchNamespaces
 // ListCloudWatchNamespaces is a tool for listing CloudWatch namespaces
 var ListCloudWatchNamespaces = mcpgrafana.MustTool(
 	"list_cloudwatch_namespaces",
-	"START HERE for CloudWatch: List available namespaces (AWS/EC2, AWS/ECS, AWS/RDS, etc.). Requires region. NEXT: Use list_cloudwatch_metrics with a namespace.",
+	"START HERE for CloudWatch: List available namespaces (AWS/EC2, AWS/ECS, AWS/RDS, etc.). Requires region. Supports cross-account monitoring via optional accountId parameter. NEXT: Use list_cloudwatch_metrics with a namespace.",
 	listCloudWatchNamespaces,
 	mcp.WithTitleAnnotation("List CloudWatch namespaces"),
 	mcp.WithIdempotentHintAnnotation(true),
@@ -489,6 +500,7 @@ type ListCloudWatchMetricsParams struct {
 	DatasourceUID string `json:"datasourceUid" jsonschema:"required,description=The UID of the CloudWatch datasource"`
 	Namespace     string `json:"namespace" jsonschema:"required,description=CloudWatch namespace (e.g. AWS/ECS\\, AWS/EC2)"`
 	Region        string `json:"region" jsonschema:"required,description=AWS region (e.g. us-east-1)"`
+	AccountId     string `json:"accountId,omitempty" jsonschema:"description=AWS account ID for cross-account monitoring. Specify an account ID to filter metrics from a specific source account\\, or 'all' for all linked accounts."`
 }
 
 // listCloudWatchMetrics lists available metrics for a CloudWatch namespace
@@ -504,6 +516,9 @@ func listCloudWatchMetrics(ctx context.Context, args ListCloudWatchMetricsParams
 	if args.Region != "" {
 		params.Set("region", args.Region)
 	}
+	if args.AccountId != "" {
+		params.Set("accountId", args.AccountId)
+	}
 
 	resourceURL := client.baseURL + "/api/datasources/uid/" + args.DatasourceUID + "/resources/metrics?" + params.Encode()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, resourceURL, nil)
@@ -534,7 +549,7 @@ func listCloudWatchMetrics(ctx context.Context, args ListCloudWatchMetricsParams
 // ListCloudWatchMetrics is a tool for listing CloudWatch metrics
 var ListCloudWatchMetrics = mcpgrafana.MustTool(
 	"list_cloudwatch_metrics",
-	"List metrics for a CloudWatch namespace. Requires region. Use after list_cloudwatch_namespaces. NEXT: Use list_cloudwatch_dimensions\\, then query_cloudwatch.",
+	"List metrics for a CloudWatch namespace. Requires region. Supports cross-account monitoring via optional accountId parameter. Use after list_cloudwatch_namespaces. NEXT: Use list_cloudwatch_dimensions\\, then query_cloudwatch.",
 	listCloudWatchMetrics,
 	mcp.WithTitleAnnotation("List CloudWatch metrics"),
 	mcp.WithIdempotentHintAnnotation(true),
@@ -547,6 +562,7 @@ type ListCloudWatchDimensionsParams struct {
 	Namespace     string `json:"namespace" jsonschema:"required,description=CloudWatch namespace (e.g. AWS/ECS)"`
 	MetricName    string `json:"metricName" jsonschema:"required,description=Metric name (e.g. CPUUtilization)"`
 	Region        string `json:"region" jsonschema:"required,description=AWS region (e.g. us-east-1)"`
+	AccountId     string `json:"accountId,omitempty" jsonschema:"description=AWS account ID for cross-account monitoring. Specify an account ID to filter dimensions from a specific source account\\, or 'all' for all linked accounts."`
 }
 
 // listCloudWatchDimensions lists available dimension keys for a CloudWatch metric
@@ -563,6 +579,9 @@ func listCloudWatchDimensions(ctx context.Context, args ListCloudWatchDimensions
 	if args.Region != "" {
 		params.Set("region", args.Region)
 	}
+	if args.AccountId != "" {
+		params.Set("accountId", args.AccountId)
+	}
 
 	resourceURL := client.baseURL + "/api/datasources/uid/" + args.DatasourceUID + "/resources/dimension-keys?" + params.Encode()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, resourceURL, nil)
@@ -593,7 +612,7 @@ func listCloudWatchDimensions(ctx context.Context, args ListCloudWatchDimensions
 // ListCloudWatchDimensions is a tool for listing CloudWatch dimension keys
 var ListCloudWatchDimensions = mcpgrafana.MustTool(
 	"list_cloudwatch_dimensions",
-	"List dimension keys for a CloudWatch metric. Requires region. Use after list_cloudwatch_metrics. NEXT: Use query_cloudwatch with discovered dimensions.",
+	"List dimension keys for a CloudWatch metric. Requires region. Supports cross-account monitoring via optional accountId parameter. Use after list_cloudwatch_metrics. NEXT: Use query_cloudwatch with discovered dimensions.",
 	listCloudWatchDimensions,
 	mcp.WithTitleAnnotation("List CloudWatch dimensions"),
 	mcp.WithIdempotentHintAnnotation(true),
diff --git a/tools/cloudwatch_test.go b/tools/cloudwatch_test.go
@@ -3,6 +3,7 @@
 package tools
 
 import (
+	"encoding/json"
 	"net/url"
 	"testing"
 
@@ -25,6 +26,7 @@ func TestCloudWatchQueryParams_Validation(t *testing.T) {
 		Start:     "now-1h",
 		End:       "now",
 		Region:    "us-east-1",
+		AccountId: "123456789012",
 	}
 
 	assert.Equal(t, "test-uid", params.DatasourceUID)
@@ -37,6 +39,32 @@ func TestCloudWatchQueryParams_Validation(t *testing.T) {
 	assert.Equal(t, "now-1h", params.Start)
 	assert.Equal(t, "now", params.End)
 	assert.Equal(t, "us-east-1", params.Region)
+	assert.Equal(t, "123456789012", params.AccountId)
+}
+
+func TestCloudWatchQueryParams_AccountIdAll(t *testing.T) {
+	// Test that AccountId supports the "all" wildcard value
+	params := CloudWatchQueryParams{
+		DatasourceUID: "test-uid",
+		Namespace:     "AWS/EC2",
+		MetricName:    "CPUUtilization",
+		Region:        "us-east-1",
+		AccountId:     "all",
+	}
+
+	assert.Equal(t, "all", params.AccountId)
+}
+
+func TestCloudWatchQueryParams_AccountIdEmpty(t *testing.T) {
+	// Test that AccountId is optional and defaults to empty
+	params := CloudWatchQueryParams{
+		DatasourceUID: "test-uid",
+		Namespace:     "AWS/EC2",
+		MetricName:    "CPUUtilization",
+		Region:        "us-east-1",
+	}
+
+	assert.Empty(t, params.AccountId)
 }
 
 func TestCloudWatchQueryResult_Structure(t *testing.T) {
@@ -72,22 +100,26 @@ func TestListCloudWatchNamespacesParams_Structure(t *testing.T) {
 	params := ListCloudWatchNamespacesParams{
 		DatasourceUID: "test-uid",
 		Region:        "us-west-2",
+		AccountId:     "123456789012",
 	}
 
 	assert.Equal(t, "test-uid", params.DatasourceUID)
 	assert.Equal(t, "us-west-2", params.Region)
+	assert.Equal(t, "123456789012", params.AccountId)
 }
 
 func TestListCloudWatchMetricsParams_Structure(t *testing.T) {
 	params := ListCloudWatchMetricsParams{
 		DatasourceUID: "test-uid",
 		Namespace:     "AWS/EC2",
 		Region:        "eu-west-1",
+		AccountId:     "all",
 	}
 
 	assert.Equal(t, "test-uid", params.DatasourceUID)
 	assert.Equal(t, "AWS/EC2", params.Namespace)
 	assert.Equal(t, "eu-west-1", params.Region)
+	assert.Equal(t, "all", params.AccountId)
 }
 
 func TestListCloudWatchDimensionsParams_Structure(t *testing.T) {
@@ -96,12 +128,14 @@ func TestListCloudWatchDimensionsParams_Structure(t *testing.T) {
 		Namespace:     "AWS/RDS",
 		MetricName:    "DatabaseConnections",
 		Region:        "ap-southeast-1",
+		AccountId:     "987654321098",
 	}
 
 	assert.Equal(t, "test-uid", params.DatasourceUID)
 	assert.Equal(t, "AWS/RDS", params.Namespace)
 	assert.Equal(t, "DatabaseConnections", params.MetricName)
 	assert.Equal(t, "ap-southeast-1", params.Region)
+	assert.Equal(t, "987654321098", params.AccountId)
 }
 
 func TestCloudWatchQueryResult_Hints(t *testing.T) {
@@ -471,6 +505,80 @@ func TestCloudWatchURLEncoding(t *testing.T) {
 	}
 }
 
+func TestCloudWatchQueryParams_JSONSerialization(t *testing.T) {
+	t.Run("accountId included when set", func(t *testing.T) {
+		params := CloudWatchQueryParams{
+			DatasourceUID: "test-uid",
+			Namespace:     "AWS/EC2",
+			MetricName:    "CPUUtilization",
+			Region:        "us-east-1",
+			AccountId:     "123456789012",
+		}
+
+		data, err := json.Marshal(params)
+		require.NoError(t, err)
+
+		var raw map[string]interface{}
+		err = json.Unmarshal(data, &raw)
+		require.NoError(t, err)
+
+		assert.Equal(t, "123456789012", raw["accountId"])
+	})
+
+	t.Run("accountId omitted when empty", func(t *testing.T) {
+		params := CloudWatchQueryParams{
+			DatasourceUID: "test-uid",
+			Namespace:     "AWS/EC2",
+			MetricName:    "CPUUtilization",
+			Region:        "us-east-1",
+		}
+
+		data, err := json.Marshal(params)
+		require.NoError(t, err)
+
+		var raw map[string]interface{}
+		err = json.Unmarshal(data, &raw)
+		require.NoError(t, err)
+
+		_, exists := raw["accountId"]
+		assert.False(t, exists, "accountId should be omitted from JSON when empty")
+	})
+}
+
+func TestCloudWatchAccountIdURLEncoding(t *testing.T) {
+	tests := []struct {
+		name      string
+		accountId string
+		wantParam string
+	}{
+		{
+			name:      "specific account ID",
+			accountId: "123456789012",
+			wantParam: "123456789012",
+		},
+		{
+			name:      "all accounts wildcard",
+			accountId: "all",
+			wantParam: "all",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			params := url.Values{}
+			params.Set("region", "us-east-1")
+			if tt.accountId != "" {
+				params.Set("accountId", tt.accountId)
+			}
+
+			encoded := params.Encode()
+			parsed, err := url.ParseQuery(encoded)
+			require.NoError(t, err)
+			assert.Equal(t, tt.wantParam, parsed.Get("accountId"))
+		})
+	}
+}
+
 func TestGenerateCloudWatchEmptyResultHints(t *testing.T) {
 	hints := generateCloudWatchEmptyResultHints()
 
