IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Imagestore: Fallback to application default credentials when no key file is specified for GCS (#25948)

Browse Source 
The external image storage for GCS creates the JWT Token from a credentials file, 
but if your Grafana server runs under a GCE instance with a service account on it, 
you can use that instead (you don't have to manage/secure the credentials file).

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
This commit is contained in:
Labesse Kévin 2020-07-06 15:02:58 +02:00 committed by GitHub
parent 44dff6fdd0
commit 8e7a88faff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/sources/administration/configuration.md
View File

@ -1179,7 +1179,7 @@ Optional URL to send to users in notifications. If the string contains the seque
### key_file ### key_file
Path to JSON key file associated with a Google service account to authenticate and authorize. Optional path to JSON key file associated with a Google service account to authenticate and authorize. If no value is provided it tries to use the [application default credentials](https://cloud.google.com/docs/authentication/production#finding_credentials_automatically).
Service Account keys can be created and downloaded from https://console.developers.google.com/permissions/serviceaccounts. Service Account keys can be created and downloaded from https://console.developers.google.com/permissions/serviceaccounts.
Service Account should have "Storage Object Writer" role. The access control model of the bucket needs to be "Set object-level and bucket-level permissions". Grafana itself will make the images public readable. Service Account should have "Storage Object Writer" role. The access control model of the bucket needs to be "Set object-level and bucket-level permissions". Grafana itself will make the images public readable.

35
pkg/components/imguploader/gcsuploader.go
View File

@ -43,20 +43,31 @@ func (u *GCSUploader) Upload(ctx context.Context, imageDiskPath string) (string,
fileName += pngExt fileName += pngExt
key := path.Join(u.path, fileName) key := path.Join(u.path, fileName)
u.log.Debug("Opening key file ", u.keyFile) var client *http.Client
data, err := ioutil.ReadFile(u.keyFile)
if err != nil { if u.keyFile != "" {
return "", err u.log.Debug("Opening key file ", u.keyFile)
data, err := ioutil.ReadFile(u.keyFile)
if err != nil {
return "", err
}
u.log.Debug("Creating JWT conf")
conf, err := google.JWTConfigFromJSON(data, tokenUrl)
if err != nil {
return "", err
}
u.log.Debug("Creating HTTP client")
client = conf.Client(ctx)
} else {
u.log.Debug("Key file is empty, trying to use application default credentials")
client, err = google.DefaultClient(ctx)
if err != nil {
return "", err
}
} }
u.log.Debug("Creating JWT conf")
conf, err := google.JWTConfigFromJSON(data, tokenUrl)
if err != nil {
return "", err
}
u.log.Debug("Creating HTTP client")
client := conf.Client(ctx)
err = u.uploadFile(client, imageDiskPath, key) err = u.uploadFile(client, imageDiskPath, key)
if err != nil { if err != nil {
return "", err return "", err