Migrating from API keys to service account tokens in Grafana dashboards utilizing Terraform

With the discharge of Grafana 9.4, Amazon Managed Grafana added help for service accounts, which have change into the really helpful authentication methodology for functions interacting with Amazon Managed Grafana, changing the earlier API key system.

Whereas API keys are created with a particular position that determines their stage of entry, service accounts provide a extra versatile and maintainable strategy. They help a number of tokens, could be enabled or disabled independently, and aren’t tied to particular person customers, permitting functions to stay authenticated even when a person is deleted. Permissions could be assigned on to service accounts utilizing role-based entry management, simplifying administration of long-lived entry for non-human entities like functions or scripts.

On this weblog put up, we stroll by way of migrate from API keys to service account tokens when automating Amazon Managed Grafana useful resource administration. We may even present securely retailer tokens utilizing AWS Secrets and techniques Supervisor and automate token rotation with AWS Lambda. All infrastructure is deployed utilizing Terraform, although the sample could be tailored to your infrastructure-as-code framework of alternative.

What are service accounts and tokens?

A service account is designed to authenticate automated instruments and programs with Amazon Managed Grafana and is meant for programmatic entry. A service account token is a safe credential issued to a service account and can be utilized to authenticate requests to the Amazon Managed Grafana HTTP API. A number of tokens could be related to a single service account, and tokens could be individually revoked or rotated with out affecting different providers or requiring adjustments to person accounts.

For a deeper understanding, see the Grafana service account documentation.

Answer overview

On this answer, we present you create a service account, reference it in your Terraform stack, after which implement rotation of the token related to it utilizing Lambda and Secrets and techniques Supervisor as proven within the following diagram:

Structure diagram illustrating the mixing between Terraform, AWS Secrets and techniques Supervisor secret retailer, and an Amazon Managed Grafana workspace, with secret rotation performance.

The next are the essential steps to arrange the answer.

1. Arrange Amazon Managed Grafana with service accounts.
2. Replace the key in Secrets and techniques Supervisor with the token worth.
3. Automate useful resource creation in Amazon Managed Grafana utilizing service account tokens in Terraform.
4. Create a service account and token in your Amazon Managed Grafana workspace.
5. Retailer the token securely utilizing Secrets and techniques Supervisor.
6. Use Terraform to automate Amazon Managed Grafana useful resource creation with the token.
7. Automate the rotation of the service account token.

GitHub repo for cloning the code and deploying the Terraform stack.

Conditions

Earlier than beginning this walkthrough, just be sure you have the next:

Answer walkthrough

Use the next steps to arrange and configure the answer.

Provision sources utilizing the Terraform stack

The complete supply code of the answer is in sample-migrate-from-apikeys-grafana and is deployed utilizing Terraform.

1. Clone the repository.

git clone https://github.com/aws-samples/sample-migrate-from-apikeys-grafana.git

2. Initialise a Terraform venture.

3. Create infrastructure for the secrets and techniques and the Amazon Managed Grafana occasion.

terraform apply —goal=aws_secretsmanager_secret.token —goal=aws_grafana_workspace.grafana

Retrieve service account token from the Amazon Managed Grafana workspace

You will need to have administrative privileges in your Amazon Managed Grafana workspace to carry out this step. This is applicable whether or not you’re utilizing IAM Id Heart or an exterior id supplier for authentication.

1. To alter a person’s position in AWS IAM Id Heart (console)
   1. Open the Amazon Managed Grafana console.
   2. Within the navigation pane, select Workspaces.
   3. Choose the workspace you need to handle.
   4. On the AWS IAM Id Heart, select the Assigned customers tab.
   5. Choose the row of the person that you simply need to modify.
   6. For Motion, select the next:
   7. Affirm the position change.

2. Choose the workspace URL and register utilizing your credentials, you need to be capable to create a service account beneath the title grafana-sa (or the title of the variable outlined in /variables.tf).

3. Assign the Editor position to the service account to permit it to create dashboards and folders. Be taught extra about service account roles within the Assign roles to a service account in Grafana.
4. After the service account is created, add a service account token to it, once more the title must be just like the one outlined in /variables.tf.

Add the token to Secrets and techniques Supervisor and create the remainder of the sources

After you full this step, the entry token can be saved in Secrets and techniques Supervisor and can routinely be used within the supplier definition throughout future runs of terraform apply.

1. Copy the service account token.

2. Paste it into the plaintext part of the Secrets and techniques Supervisor secret created within the earlier part

3. With the entry token saved in Secrets and techniques Supervisor, there is no such thing as a longer a necessity to limit the apply operation to the rotation module utilizing the --target flag. Use the next code to take away the restriction.

   supplier "grafana" {   url  = "https://${aws_grafana_workspace.grafana.endpoint}"   auth = module.grafana_sa_key_automation.grafana_sa_token }

Clear up

To keep away from incurring future expenses, use the next command to delete unused Amazon Managed Grafana service accounts and Terraform-managed sources run the cli command terraform destroy.

Safety notes

To guard the safety of your group, we advocate the next greatest practices:

• At all times comply with least privilege rules. Grant the minimal permissions wanted to the service account (for instance, Editor as an alternative of Admin).
• Make it possible for Amazon Easy Queue Service (Amazon SQS) queues, Secrets and techniques Supervisor secrets and techniques, and Amazon CloudWatch Logs are encrypted with a customer-managed KMS key if required by your group.
• Rotate secrets and techniques often to attenuate publicity.

Conclusion

On this put up, we demonstrated migrate from API keys to Amazon Managed Grafana service account tokens utilizing Terraform, with safe storage in AWS Secrets and techniques Supervisor and non-obligatory automated token rotation through AWS Lambda.This contemporary strategy improves safety, scalability, and auditing in your automation pipelines.

For extra info, see the Amazon Managed Grafana service account documentation.

In regards to the authors