From 2e2f44c2d3c385f9e1029d3ce6db85bb86fec539 Mon Sep 17 00:00:00 2001 From: Eric Leijonmarck Date: Fri, 14 Apr 2023 14:01:41 +0100 Subject: [PATCH] Docs: update docs migration path for api keys w. examples (#66463) * docs update migration path w. examples * update with current example for api * updated linsk for the documentation * trigger commit * Update docs/sources/administration/api-keys/index.md Co-authored-by: Ieva * Update docs/sources/administration/api-keys/index.md Co-authored-by: Ieva * Update docs/sources/administration/api-keys/index.md Co-authored-by: Ieva * Update docs/sources/administration/api-keys/index.md Co-authored-by: Ieva * Update docs/sources/administration/api-keys/index.md Co-authored-by: Ieva * added cloud stack section --------- Co-authored-by: Ieva --- docs/sources/administration/api-keys/index.md | 210 +++++++++++++++++- 1 file changed, 205 insertions(+), 5 deletions(-) diff --git a/docs/sources/administration/api-keys/index.md b/docs/sources/administration/api-keys/index.md index 2b9da4c533d..462061476fc 100644 --- a/docs/sources/administration/api-keys/index.md +++ b/docs/sources/administration/api-keys/index.md @@ -106,9 +106,9 @@ To migrate a single API key to a service account, complete the following steps: 1. Find the API Key you want to migrate. 1. Click **Migrate to service account**. -### Migrate API keys to Grafana service accounts using the API +### Migrate API keys to Grafana service accounts for API calls -This section shows you how to migrate API keys to Grafana service accounts using the Grafana API. +This section shows you how to migrate API keys to Grafana service accounts for Grafana API workflows. For references see: [Grafana Service Accounts for the Grafana API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account" >}}). #### Before you begin @@ -120,7 +120,7 @@ To follow these instructions, you need one of the following: #### Steps -Complete the following steps to migrate from API keys to service accounts using the API: +Complete the following steps to migrate from API keys to service accounts for API: 1. Call the `POST /api/serviceaccounts` endpoint and the `POST /api/serviceaccounts//tokens`. @@ -135,9 +135,44 @@ Complete the following steps to migrate from API keys to service accounts using 1. Remove code that handles the old `/api/auth/keys` endpoint. 1. Track the [API keys](http://localhost:3000/org/apikeys) in use and migrate them to SATs. -### Migrate API keys to Grafana service accounts using Terraform +#### Example -This section shows you how to migrate API keys to Grafana service accounts using Terraform. +Your current setup + +```sh +curl -X POST -H "Content-Type: application/json" -d '{"name": "my-api-key", "role": "Viewer"}' http://admin:admin@localhost:3000/api/auth/keys + +# response from the api +{"id":2,"name":"my-api-key","key":"eyJrIjoiTFRSN1RBOVc3SGhjblc0bWZodXZ3MnNDcU92Um5VZUIiLKJuIjoibXktYXBpLWtleSIsImlkIjoxfQ=="}% +``` + +New setup + +```sh +# create a service account +curl -X POST -H "Content-Type: application/json" -d '{"name": "my-service-account", "role": "Viewer"}' http://admin:admin@localhost:3000/api/serviceaccounts + +# response with the created service account id,name, login +{"id":1,"name":"my-service-account","login":"sa-my-service-account","orgId":1,"isDisabled":false,"role":"Viewer","tokens":0,"avatarUrl":""}% + +# create the service account token with the service account id 1 - /serviceaccounts/{id} returned from the previous step +curl -X POST -H "Content-Type: application/json" -d '{"name": "my-service-account-token"}' http://admin:admin@localhost:3000/api/serviceaccounts/1/tokens + +# response with the created SAT id,name and key. +{"id":2,"name":"my-service-account-token","key":"glsa_9244xlVFZK0j8Lh4fU8Cz6Z5tO664zIi_7a762939"}% + +# now you can authenticate the same way as you did with the API key +curl --request GET --url http://localhost:3000/api/folders --header 'Authorization: Bearer glsa_9244xlVFZK0j8Lh4fU8Cz6Z5tO664zIi_7a762939' + +# response +[{"id":1,"uid":"a5261a84-eebc-4733-83a9-61f4713561d1","title":"gdev dashboards"}]% +``` + +### Migrate API keys to Grafana service accounts in Terraform + +This section shows you how to migrate your Terraform configuration for API keys to Grafana service accounts. For resources, see [Grafana Service Accounts in Terraform](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/service_account_token). + +For migration your cloud stack api keys, use the `grafana_cloud_stack_service_account` and `gafana_cloud_stack_service_account_token` resources see [Grafana Cloud Stack Service Accounts in Terraform](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/cloud_stack_service_account). #### Steps @@ -147,3 +182,168 @@ Complete the following steps to migrate from API keys to service accounts using 1. Specify the desired scopes and expiration date when creating the service account. 1. Use the token returned from `grafana_service_account_token` to authenticate the API requests. 1. Remove the terraform configuration for creating your `grafana_api_key` resources. + +**Example: your current Terraform configuration** + +```tf +terraform { + required_providers { + grafana = { + source = "grafana/grafana" + } + } +} + +# configure the provider with basic auth +provider "grafana" { + url = "http://localhost:3000" + auth = "admin:admin" +} + +resource "grafana_api_key" "foo" { + name = "key_foo" + role = "Viewer" +} + +resource "grafana_api_key" "bar" { + name = "key_bar" + role = "Admin" + seconds_to_live = 30 +} +``` + +**Your new Terraform configuration** + +_Note:_ you can create multiple tokens using one service account. + +```tf +terraform { + required_providers { + grafana = { + source = "grafana/grafana" + } + } +} + +# configure the provider with basic auth +provider "grafana" { + url = "http://localhost:3000" + auth = "admin:admin" +} + +# Creating a service account in Grafana instance to be used as auth and attach tokens +# notice we can attach multiple tokens to one service account +resource "grafana_service_account" "sa-admin" { + name = "sa-admin" + role = "Admin" +} + +# Creating a service account token in Grafana instance to be used for creating resources in Grafana instance +resource "grafana_service_account_token" "sat-bar" { + name = "sat-bar" + service_account_id = grafana_service_account.sa-admin.id +} + +# Creating a service account token in Grafana instance to be used for creating resources in Grafana instance +resource "grafana_service_account_token" "sat-foo" { + name = "sat-foo" + service_account_id = grafana_service_account.sa-admin.id + seconds_to_live = 30 +} +``` + +### Migrate Cloud **Stack** API keys to Grafana cloud stack service accounts in Terraform + +This section shows you how to migrate your Terraform configuration for Grafana cloud stack API keys to Grafana cloud stack service accounts. For migration your cloud stack api keys, use the `grafana_cloud_stack_service_account` and `gafana_cloud_stack_service_account_token` resources see [Grafana Cloud Stack Service Accounts in Terraform](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/cloud_stack_service_account). + +> **Note:** This is only relevant for Grafana Cloud **Stack** API keys `grafana_cloud_stack_api_key`. Grafana Cloud API keys resource `grafana_cloud_api_key` are not deprecated and should be used for authentication for managing your Grafana cloud. + +#### Steps + +Complete the following steps to migrate from cloud stack API keys to cloud stack service accounts using Terraform: + +1. Generate `grafana_cloud_stack_service_account` and `grafana_cloud_stack_service_account_token` resources. +1. Specify the desired scopes and expiration date when creating the service account. +1. Use the token returned from `grafana_cloud_stack_service_account_token` to authenticate the API requests. +1. Remove the Terraform configuration for creating your `grafana_cloud_stack_api_key` resources. + +**Example: Your current Terraform configuration** + +```tf +terraform { + required_providers { + grafana = { + source = "grafana/grafana" + } + } +} + +# Declaring the first provider to be only used for creating the cloud-stack +provider "grafana" { + alias = "cloud" + + cloud_api_key = "" +} + +resource "grafana_cloud_stack" "my_stack" { + provider = grafana.cloud + + name = "my_stack" + slug = "my_stack" + region_slug = "eu" # Example “us”,”eu” etc +} + +# Creating a Grafana API key to be used as auth +resource "grafana_cloud_stack_api_key" "management" { + provider = grafana.cloud + + stack_slug = grafana_cloud_stack.my_stack.slug + name = "management-key" + role = "Admin" +} +``` + +**Your new Terraform configuration** + +```tf +terraform { + required_providers { + grafana = { + source = "grafana/grafana" + } + } +} + +# Declaring the first provider to be only used for creating the cloud-stack +provider "grafana" { + alias = "cloud" + + cloud_api_key = "" +} + +resource "grafana_cloud_stack" "my_stack" { + provider = grafana.cloud + + name = "my_stack" + slug = "my_stack" + region_slug = "eu" # Example “us”,”eu” etc +} + +# Creating a grafana cloud stack service account +resource "grafana_cloud_stack_service_account" "mystack_cloud-stack_service_account" { + provider = grafana.cloud + stack_slug = grafana_cloud_stack.my_stack.slug + + name = "mystack-cloud-stack-sa" + role = "Admin" +} + +# Creating a grafana cloud stack service account token +resource "grafana_cloud_stack_service_account_token" "mystack_cloud-stack_service-account_token" { + provider = grafana.cloud + stack_slug = grafana_cloud_stack.my_stack.slug + + name = "mystack-cloud-stack-sa-token" + service_account_id = grafana_cloud_stack_service_account.mystack_cloud-stack_service_account.id +} +```