AWS: Add aws plugin configuration (#31312)

* add new conf and make sure its passed to frontend * change auth provider name * goimports * fixed after feedback * more updates after feedback * Update docs/sources/administration/configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/administration/configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/administration/configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/administration/configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/administration/configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update conf/sample.ini Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Update docs/sources/administration/configuration.md Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Update pkg/setting/setting.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * updates after pr feedback * Update conf/defaults.ini Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Update conf/defaults.ini Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Update conf/sample.ini Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2025-02-13 00:55:47 -06:00 · 2021-02-24 18:08:13 +01:00 · 2021-02-24 18:08:13 +01:00 · 1b149523ed
commit 1b149523ed
parent 4a2e32b401
5 changed files with 64 additions and 6 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -505,6 +505,16 @@ allow_sign_up = true
 sync_cron = "0 0 1 * * *"
 active_sync_enabled = true

+#################################### AWS ###########################
+[aws]
+# Enter a comma-separated list of allowed AWS authentication providers. 
+# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_IAM_role (EC2 IAM Role)
+allowed_auth_providers = default,keys,credentials
+
+# Allow AWS users to assume a role using temporary security credentials. 
+# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
+assume_role_enabled = true
+
 #################################### SMTP / Emailing #####################
 [smtp]
 enabled = false
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -495,6 +495,16 @@
 ;sync_cron = "0 0 1 * * *"
 ;active_sync_enabled = true

+#################################### AWS ###########################
+[aws]
+# Enter a comma-separated list of allowed AWS authentication providers. 
+# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_IAM_role (EC2 IAM Role)
+; allowed_auth_providers = default,keys,credentials
+
+# Allow AWS users to assume a role using temporary security credentials. 
+# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
+; assume_role_enabled = true
+
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
--- a/docs/sources/administration/configuration.md
+++ b/docs/sources/administration/configuration.md
@ -772,6 +772,22 @@ Refer to [Auth proxy authentication]({{< relref "../auth/auth-proxy.md" >}}) for

 Refer to [LDAP authentication]({{< relref "../auth/ldap.md" >}}) for detailed instructions.

+## [aws]
+
+You can configure core and external AWS plugins.
+
+### allowed_auth_providers
+
+Specify what authentication providers the AWS plugins allow. For a list of allowed providers, refer to the data-source configuration page for a given plugin. If you configure a plugin by provisioning, only providers that are specified in `allowed_auth_providers` are allowed.
+
+Options: `default` (AWS SDK default), `keys` (Access and secret key), `credentials` (Credentials file), `ec2_IAM_role` (EC2 IAM role)
+
+### assume_role_enabled
+
+Set to `false` to disable AWS authentication from using an assumed role with temporary security credentials. For details about assume roles, refer to the AWS API reference documentation about the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) operation.
+
+If this option is disabled, the **Assume Role** and the **External Id** field are removed from the AWS data source configuration page. If the plugin is configured using provisioning, it is possible to use an assumed role as long as `assume_role_enabled` is set to `true`.
+
 <hr />

 ## [smtp]
@ -1530,6 +1546,9 @@ Set this to `true` to have date formats automatically derived from your browser
 Used as the default time zone for user preferences. Can be either `browser` for the browser local time zone or a time zone name from the IANA Time Zone database, such as `UTC` or `Europe/Amsterdam`.

 ## [expressions]
+
 > **Note:** This feature is available in Grafana v7.4 and later versions.
+
 ### enabled
+
 Set this to `false` to disable expressions and hide them in the Grafana UI. Default is `true`.
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@ -237,12 +237,14 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
 			"licenseUrl":      hs.License.LicenseURL(c.SignedInUser),
 			"edition":         hs.License.Edition(),
 		},
-		"featureToggles":     hs.Cfg.FeatureToggles,
-		"rendererAvailable":  hs.RenderService.IsAvailable(),
-		"http2Enabled":       hs.Cfg.Protocol == setting.HTTP2Scheme,
-		"sentry":             hs.Cfg.Sentry,
-		"marketplaceUrl":     hs.Cfg.MarketplaceURL,
-		"expressionsEnabled": hs.Cfg.ExpressionsEnabled,
+		"featureToggles":          hs.Cfg.FeatureToggles,
+		"rendererAvailable":       hs.RenderService.IsAvailable(),
+		"http2Enabled":            hs.Cfg.Protocol == setting.HTTP2Scheme,
+		"sentry":                  hs.Cfg.Sentry,
+		"marketplaceUrl":          hs.Cfg.MarketplaceURL,
+		"expressionsEnabled":      hs.Cfg.ExpressionsEnabled,
+		"awsAllowedAuthProviders": hs.Cfg.AWSAllowedAuthProviders,
+		"awsAssumeRoleEnabled":    hs.Cfg.AWSAssumeRoleEnabled,
 	}

 	return jsonObj, nil
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -273,6 +273,10 @@ type Cfg struct {
 	AdminUser                    string
 	AdminPassword                string

+	// AWS Plugin Auth
+	AWSAllowedAuthProviders []string
+	AWSAssumeRoleEnabled    bool
+
 	// Auth proxy settings
 	AuthProxyEnabled          bool
 	AuthProxyHeaderName       string
@ -861,6 +865,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	}

 	cfg.readLDAPConfig()
+	cfg.readAWSConfig()
 	cfg.readSessionConfig()
 	cfg.readSmtpSettings()
 	cfg.readQuotaSettings()
@ -923,6 +928,18 @@ func (cfg *Cfg) readLDAPConfig() {
 	cfg.LDAPAllowSignup = LDAPAllowSignup
 }

+func (cfg *Cfg) readAWSConfig() {
+	awsPluginSec := cfg.Raw.Section("aws")
+	cfg.AWSAssumeRoleEnabled = awsPluginSec.Key("assume_role_enabled").MustBool(true)
+	allowedAuthProviders := awsPluginSec.Key("allowed_auth_providers").String()
+	for _, authProvider := range strings.Split(allowedAuthProviders, ",") {
+		authProvider = strings.TrimSpace(authProvider)
+		if authProvider != "" {
+			cfg.AWSAllowedAuthProviders = append(cfg.AWSAllowedAuthProviders, authProvider)
+		}
+	}
+}
+
 func (cfg *Cfg) readSessionConfig() {
 	sec, _ := cfg.Raw.GetSection("session")