Migrating from API keys to service account tokens in Grafana dashboards utilizing Terraform

With the discharge of Grafana 9.4, Amazon Managed Grafana added assist for service accounts, which have turn into the advisable authentication methodology for purposes interacting with Amazon Managed Grafana, changing the earlier API key system.

Whereas API keys are created with a particular function that determines their stage of entry, service accounts supply a extra versatile and maintainable strategy. They assist a number of tokens, might be enabled or disabled independently, and aren’t tied to particular person customers, permitting purposes to stay authenticated even when a person is deleted. Permissions might be assigned on to service accounts utilizing role-based entry management, simplifying administration of long-lived entry for non-human entities like purposes or scripts.

On this weblog publish, we stroll by means of how one can migrate from API keys to service account tokens when automating Amazon Managed Grafana useful resource administration. We can even present how one can securely retailer tokens utilizing AWS Secrets and techniques Supervisor and automate token rotation with AWS Lambda. All infrastructure is deployed utilizing Terraform, although the sample might be tailored to your infrastructure-as-code framework of alternative.

What are service accounts and tokens?

A service account is designed to authenticate automated instruments and techniques with Amazon Managed Grafana and is meant for programmatic entry. A service account token is a safe credential issued to a service account and can be utilized to authenticate requests to the Amazon Managed Grafana HTTP API. A number of tokens might be related to a single service account, and tokens might be individually revoked or rotated with out affecting different companies or requiring adjustments to person accounts.

For a deeper understanding, see the Grafana service account documentation.

Resolution overview

On this answer, we present you how one can create a service account, reference it in your Terraform stack, after which implement rotation of the token related to it utilizing Lambda and Secrets and techniques Supervisor as proven within the following diagram:

Structure diagram illustrating the combination between Terraform, AWS Secrets and techniques Supervisor secret retailer, and an Amazon Managed Grafana workspace, with secret rotation performance.

The next are the fundamental steps to arrange the answer.

1. Arrange Amazon Managed Grafana with service accounts.
2. Replace the key in Secrets and techniques Supervisor with the token worth.
3. Automate useful resource creation in Amazon Managed Grafana utilizing service account tokens in Terraform.
4. Create a service account and token in your Amazon Managed Grafana workspace.
5. Retailer the token securely utilizing Secrets and techniques Supervisor.
6. Use Terraform to automate Amazon Managed Grafana useful resource creation with the token.
7. Automate the rotation of the service account token.

GitHub repo for cloning the code and deploying the Terraform stack.

Stipulations

Earlier than beginning this walkthrough, just be sure you have the next:

Resolution walkthrough

Use the next steps to arrange and configure the answer.

Provision sources utilizing the Terraform stack

The total supply code of the answer is in sample-migrate-from-apikeys-grafana and is deployed utilizing Terraform.

1. Clone the repository.

git clone https://github.com/aws-samples/sample-migrate-from-apikeys-grafana.git

2. Initialise a Terraform undertaking.

3. Create infrastructure for the secrets and techniques and the Amazon Managed Grafana occasion.

terraform apply —goal=aws_secretsmanager_secret.token —goal=aws_grafana_workspace.grafana

Retrieve service account token from the Amazon Managed Grafana workspace

You will need to have administrative privileges in your Amazon Managed Grafana workspace to carry out this step. This is applicable whether or not you’re utilizing IAM Identification Middle or an exterior identification supplier for authentication.

1. To alter a person’s function in AWS IAM Identification Middle (console)
   1. Open the Amazon Managed Grafana console.
   2. Within the navigation pane, select Workspaces.
   3. Choose the workspace you need to handle.
   4. On the AWS IAM Identification Middle, select the Assigned customers tab.
   5. Choose the row of the person that you simply need to modify.
   6. For Motion, select the next:
   7. Verify the function change.

2. Choose the workspace URL and check in utilizing your credentials, it’s best to be capable to create a service account beneath the title grafana-sa (or the title of the variable outlined in /variables.tf).

3. Assign the Editor function to the service account to permit it to create dashboards and folders. Study extra about service account roles within the Assign roles to a service account in Grafana.
4. After the service account is created, add a service account token to it, once more the title needs to be much like the one outlined in /variables.tf.

Add the token to Secrets and techniques Supervisor and create the remainder of the sources

After you full this step, the entry token shall be saved in Secrets and techniques Supervisor and can mechanically be used within the supplier definition throughout future runs of terraform apply.

1. Copy the service account token.

2. Paste it into the plaintext part of the Secrets and techniques Supervisor secret created within the earlier part

3. With the entry token saved in Secrets and techniques Supervisor, there isn’t a longer a necessity to limit the apply operation to the rotation module utilizing the --target flag. Use the next code to take away the restriction.

   supplier "grafana" {
     url  = "https://${aws_grafana_workspace.grafana.endpoint}"
     auth = module.grafana_sa_key_automation.grafana_sa_token
   }

Clear up

To keep away from incurring future costs, use the next command to delete unused Amazon Managed Grafana service accounts and Terraform-managed sources run the cli command terraform destroy.

Safety notes

To guard the safety of your group, we suggest the next greatest practices:

• At all times comply with least privilege ideas. Grant the minimal permissions wanted to the service account (for instance, Editor as a substitute of Admin).
• Be sure that Amazon Easy Queue Service (Amazon SQS) queues, Secrets and techniques Supervisor secrets and techniques, and Amazon CloudWatch Logs are encrypted with a customer-managed KMS key if required by your group.
• Rotate secrets and techniques usually to attenuate publicity.

Conclusion

On this publish, we demonstrated how one can migrate from API keys to Amazon Managed Grafana service account tokens utilizing Terraform, with safe storage in AWS Secrets and techniques Supervisor and elective automated token rotation through AWS Lambda.This contemporary strategy improves safety, scalability, and auditing in your automation pipelines.

For extra data, see the Amazon Managed Grafana service account documentation.

In regards to the authors