IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add docs for service accounts 8.5 (#46801)

Browse Source 
* initial doc for service accounts

* service account token calls complete

* service account tasks

* Update docs/sources/http_api/serviceaccount.md

* adding a token to the service account

* removed unused file

* refactor: review comments

* feat: add API key documentation

* fix: spelling

* Update docs/sources/administration/service-accounts/about-service-accounts.md

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

* Update docs/sources/administration/service-accounts/about-service-accounts.md

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

* Update docs/sources/http_api/serviceaccount.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/service-accounts/enable-service-accounts.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/service-accounts/enable-service-accounts.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/service-accounts/enable-service-accounts.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/service-accounts/enable-service-accounts.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/service-accounts/enable-service-accounts.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/api-keys/about-api-keys.md

* refactor: based on review

* removed the permissions for apikeys, as they are not necessary

* Apply suggestions from code review

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Update docs/sources/administration/service-accounts/create-service-account.md

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>

* update based on review

* Fix formatting of bullet points

* formatting

* refcator

Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
This commit is contained in:
Eric Leijonmarck 2022-04-11 15:45:02 +01:00 committed by GitHub
parent bda3dd24e4
commit 7be8fe027f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 572 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/sources/administration/_index.md
View File

@ -12,3 +12,4 @@ This section includes information for Grafana administrators, team administrator
- [Configuration]({{< relref "configuration" >}})
- [Configure Docker image]({{< relref "configure-docker" >}})
- [Security]({{< relref "security" >}})
- [Service accounts]({{< relref "service-accounts" >}})

17
docs/sources/administration/api-keys/_index.md Normal file
View File

@ -0,0 +1,17 @@
---
title: 'API keys in Grafana'
menuTitle: 'API keys'
description: 'This section contains information about API keys in Grafana'
weight: 300
keywords:
- API keys
- Service accounts
---
# API keys in Grafana
API Keys can be used to interact with Grafana HTTP APIs.
We recommend using service accounts instead of API keys if you are on Grafana 8.5+, for more information refer to [About service accounts]({{< relref "../service-accounts/about-service-accounts.md#">}}).
{{< section >}}

12
docs/sources/administration/api-keys/about-api-keys.md Normal file
View File

@ -0,0 +1,12 @@
---
title: About API keys in Grafana
menuTitle: About API keys
description: 'Learn about using API keys in Grafana'
weight: 30
---
# About API keys in Grafana
An API key is a randomly generated string that external systems use to interact with Grafana HTTP APIs.
When you create an API key, you specify a **Role** that determines the permissions associated with the API key. Role permissions control that actions the API key can perform on Grafana resources. For more information about creating API keys, refer to [Create an API key]({{< relref "./create-api-key.md#">}}).

34
docs/sources/administration/api-keys/create-api-key.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Create an API key in Grafana
menuTitle: Create an API key
description: 'How to create an API key in Grafana'
weight: 50
keywords:
- API keys
- Service accounts
---
# Create an API key in Grafana
Create an API key when you want to manage your computed workload with a user.
For more information about API keys, refer to [About API keys in Grafana]({{< relref "./about-api-keys.md">}}).
This topic shows you how to create an API key using the Grafana UI. You can also create an API key using the Grafana HTTP API. For more information about creating API keys via the API, refer to [Create API key via API]({{< relref "../../http_api/create-api-tokens-for-org.md#how-to-create-a-new-organization-and-an-api-token">}}).
## Before you begin:
- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#">}}).
**To create an API key:**
1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**.
1. Click **New API key**.
1. Enter a unique name for the key.
1. In the **Role** field, select one of the following access levels you want to assign to the key.
- **Admin**: Enables a user to use APIs at the broadest, most powerful administrative level.
- **Editor** or **Viewer** to limit the key's users to those levels of power.
1. In the **Time to live** field, specify how long you want the key to be valid.
- The maximum length of time is 30 days (one month). You enter a number and a letter. Valid letters include `s` for seconds,`m` for minutes, `h` for hours, `d `for days, `w` for weeks, and `M `for month. For example, `12h` is 12 hours and `1M` is 1 month (30 days).
- If you are unsure about how long an API key should be valid, we recommend that you choose a short duration, such as a few hours. This approach limits the risk of having API keys that are valid for a long time.
1. Click **Add**.

15
docs/sources/administration/service-accounts/_index.md Normal file
View File

@ -0,0 +1,15 @@
---
title: 'Service accounts in Grafana'
menuTitle: 'Service accounts'
description: 'This page contains information about service accounts in Grafana'
weight: 300
keywords:
- API keys
- Service accounts
---
# Service accounts in Grafana
You can use service accounts to run automated or compute workloads.
{{< section >}}

50
docs/sources/administration/service-accounts/about-service-accounts.md Normal file
View File

@ -0,0 +1,50 @@
---
title: About service accounts
menuTitle: About service accounts
description: 'This page contains detailed information about service accounts in Grafana'
weight: 30
---
# About service accounts in Grafana
A service account can be used to run automated or compute workloads. Applications use service account tokens to authorize themselves as a service account.
> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature, to enable service accounts refer to [Enable service accounts]({{< relref "./enable-service-accounts.md#">}}) section.
A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to:
- Schedule reports for specific dashboards to be delivered on a daily/weekly/monthly basis
- Define alerts in your system to be used in Grafana
- Set up an external authentication provider to manage users and permissions across an organization
- Establish machine-to-machine communication
- Interact with Grafana without logging in as a user
You can also use service accounts in combination with fine-grained access control to grant users specific scopes.
You can associate a service account with multiple tokens. This is because a service account:
- can be used by multiple team members and therefore can generate their own token each
- can be used across multiple tenants and each tenant can have its own token
We recommend the you begin by creating one service account for each use case.
> **Note:** Service accounts can only act in the organization they are created for. If you have the same task that is needed for multiple organizations, we recommend creating service accounts in each organization.
---
## Service account tokens
A service account token is a generated random string that are an alternative to using passwords for authentication with Grafana, to interact with the Grafana HTTP APIs.
When you create a service account, you can associate one or more access tokens with it. You can use service access tokens the same way as API Keys, for example to access Grafana HTTP API programmatically.
Service account access tokens inherit permissions from service account directly.
### Service accounts benefits
The added benefits of service accounts to API keys include:
- Service accounts resemble Grafana users and can be enabled/disabled, granted specific permissions, and remain active until they are deleted or disabled. API keys are only valid until their expiry date.
- Service accounts can be associated with multiple tokens.
- Unlike API keys, service account tokens are not associated with a specific user, which means that applications can be authenticated even if a Grafana user is deleted.
- You can grant granular permissions to service accounts by leveraging [fine-grained access control]({{< relref "../../enterprise/access-control">}}). For more information about permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#">}}).

31
docs/sources/administration/service-accounts/add-service-account-token.md Normal file
View File

@ -0,0 +1,31 @@
---
title: 'Add a token to a service account in Grafana'
menuTitle: 'Add a token to a service account'
description: 'This topic shows you how to add a token to a service account'
weight: 60
---
# Add a token to a service account in Grafana
A service account token is a randomly generated string that external system use to authenticate into Grafana, and include specific permissions to interact with the Grafana HTTP APIs.
For more information about service accounts, refer to [About service accounts in Grafana]({{< relref "./about-service-accounts.md">}}).
You can create a service account token using the Grafana UI or via the API. For more information about creating a service account token via the API, refer to [HTTP API Create service account token]({{< relref "../../http_api/serviceaccount.md#create-service-account-tokens">}}).
## Before you begin
- Ensure you have added the `service-accounts` feature toggle to Grafana. For more information about adding the `service-accounts` feature toggle, refer to [Enable service accounts]({{< relref "./enable-service-accounts.md#">}}).
- Ensure you have permission to create and edit service accounts. For more information about user roles, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#">}}).
- [Create a service account in Grafana]({{< relref "./create-service-account.md#">}}).
**To add a token to a service account:**
1. Sign in to Grafana and hover your cursor over the organization icon in the sidebar.
1. Click **Service accounts**.
1. Click the service account to which you want to add a token.
1. Click **Add token**.
1. Enter a name for the token.
1. (recommended) Enter an expiry date and expiry date for the token or leave it on no expiry date option.
- The expiry date specifies how long you want the key to be valid.
- If you are unsure of an expiration date, we recommend that you set the token to expire after a short time, such as a few hours or less. This limits the risk associated with a token that is valid for a long time.
1. Click **Generate service account token**.

30
docs/sources/administration/service-accounts/create-service-account.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Create a service account in Grafana
menuTitle: Create a service account
description: 'How to create a service account in Grafana'
weight: 50
keywords:
- Service accounts
---
# Create a service account in Grafana
A service account is a user account that you can use to run automated or compute workloads. For more information about how you can use service accounts, refer to [About service accounts]({{< relref "../service-accounts/about-service-accounts.md#">}}).
For more information about creating service accounts via the API, refer to [Create service account via API]({{< relref "../../http_api/serviceaccount.md#create-service-account">}}).
## Before you begin
- Ensure you have added the feature toggle for service accounts `service-accounts`. For more information about adding the `service-account` feature toggle, refer to [Enable service accounts]({{< relref "./enable-service-accounts.md#">}}).
- Ensure you have permission to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../manage-users-and-permissions/about-users-and-permissions.md#">}}).
**To create a service account:**
1. Sign in to Grafana and hover your cursor over the organization icon in the sidebar.
1. Click **Service accounts**.
1. Click **New service account**.
1. Enter a **Display name**.
1. The display name must be unique as it determines the ID associated with the service account.
- We recommend that you use a consistent naming convention when you name service accounts. A consistent naming convention can help you scale and maintain service accounts in the future.
- You can change the display name at any time.
1. Click **Create service account**.

43
docs/sources/administration/service-accounts/enable-service-accounts.md Normal file
View File

@ -0,0 +1,43 @@
---
title: 'Enable service accounts in Grafana'
menuTitle: 'Enable service accounts'
description: 'This topic shows you how to to enable the service accounts feature in Grafana'
weight: 40
keywords:
- Feature toggle
- Service accounts
---
# Enable service accounts in Grafana
Service accounts are available behind the `service-accounts` feature toggle available in Grafana 9.0+.
You can enable service accounts by:
- modifying the Grafana configuration file, or
- configuring an environment variable
## Enable service accounts with configuration file
This topic shows you how to enable service accounts by modifying the Grafana configuration file.
1. Sign in to the Grafana server and locate the configuration file. For more information about finding the configuration file, refer to LINK.
1. Open the configuration file and locate the [feature toggles] section. In your [config file]({{< relref "../../administration/configuration.md#config-file-locations" >}}), add `service-accounts` as a [feature_toggle]({{< relref "../../administration/configuration.md#feature_toggle" >}}).
```
[feature_toggles]
# enable features, separated by spaces
enable = service-accounts
```
1. Save your changes, Grafana should recognize your changes; in case of any issues we recommend restarting the Grafana server.
## Enable service accounts with an environment variable
This topic shows you how to enable service accounts by setting environment variables before starting Grafana.
> **Note:** Environment variables override any configuration file settings.
You can use `GF_FEATURE_TOGGLES_ENABLE = service-accounts` environment variable.
For more information regarding on how to setup environment variables refer to [Configuring with environment variables]({{< relref "../../administration/configuration.md#override-configuration-with-environment-variables" >}}).

2
docs/sources/enterprise/access-control/_index.md
View File

@ -58,7 +58,7 @@ enable = accesscontrol
You can use `GF_FEATURE_TOGGLES_ENABLE = accesscontrol` environment variable to override the config file configuration and enable fine-grained access control.
Refer to [Configuring with environment variables]({{< relref "../../administration/configuration.md#configure-with-environment-variables" >}}) for more information.
Refer to [Configuring with environment variables]({{< relref "../../administration/configuration.md#/#override-configuration-with-environment-variables" >}}) for more information.
### Verify if enabled

338
docs/sources/http_api/serviceaccount.md Normal file
View File

@ -0,0 +1,338 @@
+++
title = "Service account HTTP API "
description = "Grafana service account HTTP API"
keywords = ["grafana", "http", "documentation", "api", "serviceaccount"]
aliases = ["/docs/grafana/latest/http_api/serviceaccount/"]
+++
# Service account API
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
## Search service accounts with Paging
`GET /api/serviceaccounts/search?perpage=10&page=1&query=myserviceaccount`
#### Required permissions
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------------- |
| serviceaccounts:read | global:serviceaccounts:\* |
**Example Request**:
```http
GET /api/serviceaccounts/search?perpage=10&page=1&query=mygraf HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
```
Default value for the `perpage` parameter is `1000` and for the `page` parameter is `1`. The `totalCount` field in the response can be used for pagination of the user list E.g. if `totalCount` is equal to 100 users and the `perpage` parameter is set to 10 then there are 10 pages of users. The `query` parameter is optional and it will return results where the query value is contained in one of the `name`. Query values with spaces need to be URL encoded e.g. `query=Jane%20Doe`.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
{
"totalCount": 2,
"serviceAccounts": [
{
"id": 1,
"name": "grafana",
"login": "sa-grafana",
"orgId": 1,
"isDisabled": false,
"role": "Viewer",
"tokens": 0,
"avatarUrl": "/avatar/85ec38023d90823d3e5b43ef35646af9",
"accessControl": {
"serviceaccounts:delete": true,
"serviceaccounts:read": true,
"serviceaccounts:write": true
}
},
{
"id": 2,
"name": "test",
"login": "sa-test",
"orgId": 1,
"isDisabled": false,
"role": "Viewer",
"tokens": 0,
"avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
"accessControl": {
"serviceaccounts:delete": true,
"serviceaccounts:read": true,
"serviceaccounts:write": true
}
}
],
"page": 1,
"perPage": 10
}
```
## Create service account
`POST /api/serviceaccounts`
#### Required permissions
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
| serviceaccounts:write | serviceaccounts:\* |
**Example Request**:
```http
POST /api/serviceaccounts HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
{
"name": "grafana",
"role": "Admin",
}
```
Requires basic authentication and that the authenticated user is a Grafana Admin.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
{
"id": 1,
"name": "test",
"login": "sa-test",
"orgId": 1,
"isDisabled": false,
"createdAt": "2022-03-21T14:35:33Z",
"updatedAt": "2022-03-21T14:35:33Z",
"avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
"role": "Viewer",
"teams": []
}
```
## Get single serviceaccount by Id
`GET /api/serviceaccounts/:id`
#### Required permissions
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------ |
| serviceaccounts:read | serviceaccounts:\* |
**Example Request**:
```http
GET /api/serviceaccounts/1 HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
```
Requires basic authentication and that the authenticated user is a Grafana Admin.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
{
"id": 1,
"name": "test",
"login": "sa-test",
"orgId": 1,
"isDisabled": false,
"createdAt": "2022-03-21T14:35:33Z",
"updatedAt": "2022-03-21T14:35:33Z",
"avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
"role": "Viewer",
"teams": []
}
```
## Update service account
`PATCH /api/serviceaccounts/:id`
#### Required permissions
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
| serviceaccounts:write | serviceaccounts:\* |
**Example Request**:
```http
PUT /api/serviceaccounts/2 HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
{
"name": "test",
"role": "Editor"
}
```
Requires basic authentication and that the authenticated user is a Grafana Admin.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
{
"id": 2,
"name": "test",
"login": "sa-grafana",
"orgId": 1,
"isDisabled": false,
"createdAt": "2022-03-21T14:35:44Z",
"updatedAt": "2022-03-21T14:35:44Z",
"avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
"role": "Editor",
"teams": []
}
```
---
## Service account tokens
## Get service account tokens
`GET /api/serviceaccounts/:id/tokens`
#### Required permissions
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------ |
| serviceaccounts:read | serviceaccounts:\* |
**Example Request**:
```http
GET /api/serviceaccounts/2/tokens HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
```
Requires basic authentication and that the authenticated user is a Grafana Admin.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
[
{
"id": 1,
"name": "grafana",
"role": "Viewer",
"created": "2022-03-23T10:31:02Z",
"expiration": null,
"secondsUntilExpiration": 0,
"hasExpired": false
}
]
```
## Create service account tokens
`POST /api/serviceaccounts/:id/tokens`
#### Required permissions
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
| serviceaccounts:write | serviceaccounts:\* |
**Example Request**:
```http
POST /api/serviceaccounts/2/tokens HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
{
"name": "grafana",
"role": "Viewer"
}
```
Requires basic authentication and that the authenticated user is a Grafana Admin.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
{
"id": 7,
"name": "grafana",
"key": "eyJrIjoiVjFxTHZ6dGdPSjg5Um92MjN1RlhjMkNqYkZUbm9jYkwiLCJuIjoiZ3JhZmFuYSIsImlkIjoxfQ=="
}
```
## Delete service account tokens
`DELETE /api/serviceaccounts/:id/tokens/:tokenId`
#### Required permissions
See note in the [introduction]({{< ref "#serviceaccount-api" >}}) for an explanation.
| Action | Scope |
| --------------------- | ------------------ |
| serviceaccounts:write | serviceaccounts:\* |
**Example Request**:
```http
DELETE /api/serviceaccounts/2/tokens/1 HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4=
```
Requires basic authentication and that the authenticated user is a Grafana Admin.
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
{
"message": "API key deleted"
}
```