Migrating from API keys to service account tokens in Grafana dashboards utilizing Terraform

With the discharge of Grafana 9.4, Amazon Managed Grafana added assist for service accounts, which have turn into the really helpful authentication technique for purposes interacting with Amazon Managed Grafana, changing the earlier API key system.

Whereas API keys are created with a particular function that determines their degree of entry, service accounts supply a extra versatile and maintainable strategy. They assist a number of tokens, could be enabled or disabled independently, and aren’t tied to particular person customers, permitting purposes to stay authenticated even when a consumer is deleted. Permissions could be assigned on to service accounts utilizing role-based entry management, simplifying administration of long-lived entry for non-human entities like purposes or scripts.

On this weblog put up, we stroll by way of learn how to migrate from API keys to service account tokens when automating Amazon Managed Grafana useful resource administration. We can even present learn how to securely retailer tokens utilizing AWS Secrets and techniques Supervisor and automate token rotation with AWS Lambda. All infrastructure is deployed utilizing Terraform, although the sample could be tailored to your infrastructure-as-code framework of alternative.

What are service accounts and tokens?

A service account is designed to authenticate automated instruments and methods with Amazon Managed Grafana and is meant for programmatic entry. A service account token is a safe credential issued to a service account and can be utilized to authenticate requests to the Amazon Managed Grafana HTTP API. A number of tokens could be related to a single service account, and tokens could be individually revoked or rotated with out affecting different providers or requiring adjustments to consumer accounts.

For a deeper understanding, see the Grafana service account documentation.

Answer overview

On this answer, we present you learn how to create a service account, reference it in your Terraform stack, after which implement rotation of the token related to it utilizing Lambda and Secrets and techniques Supervisor as proven within the following diagram:

The next are the essential steps to arrange the answer.

1. Arrange Amazon Managed Grafana with service accounts.
2. Replace the key in Secrets and techniques Supervisor with the token worth.
3. Automate useful resource creation in Amazon Managed Grafana utilizing service account tokens in Terraform.
4. Create a service account and token in your Amazon Managed Grafana workspace.
5. Retailer the token securely utilizing Secrets and techniques Supervisor.
6. Use Terraform to automate Amazon Managed Grafana useful resource creation with the token.
7. Automate the rotation of the service account token.

GitHub repo for cloning the code and deploying the Terraform stack.

Conditions

Earlier than beginning this walkthrough, just remember to have the next:

Answer walkthrough

Use the next steps to arrange and configure the answer.

Provision sources utilizing the Terraform stack

The total supply code of the answer is in sample-migrate-from-apikeys-grafana and is deployed utilizing Terraform.

1. Clone the repository.

git clone https://github.com/aws-samples/sample-migrate-from-apikeys-grafana.git

2. Initialise a Terraform challenge.

3. Create infrastructure for the secrets and techniques and the Amazon Managed Grafana occasion.

terraform apply —goal=aws_secretsmanager_secret.token —goal=aws_grafana_workspace.grafana

Retrieve service account token from the Amazon Managed Grafana workspace

You should have administrative privileges in your Amazon Managed Grafana workspace to carry out this step. This is applicable whether or not you’re utilizing IAM Id Heart or an exterior identification supplier for authentication.

1. To alter a consumer’s function in AWS IAM Id Heart (console)
   1. Open the Amazon Managed Grafana console.
   2. Within the navigation pane, select Workspaces.
   3. Choose the workspace you need to handle.
   4. On the AWS IAM Id Heart, select the Assigned customers tab.
   5. Choose the row of the consumer that you simply need to modify.
   6. For Motion, select the next:
   7. Verify the function change.

2. Choose the workspace URL and register utilizing your credentials, you need to be capable of create a service account beneath the identify grafana-sa (or the identify of the variable outlined in /variables.tf).

3. Assign the Editor function to the service account to permit it to create dashboards and folders. Study extra about service account roles within the Assign roles to a service account in Grafana.
4. After the service account is created, add a service account token to it, once more the identify ought to be just like the one outlined in /variables.tf.

Add the token to Secrets and techniques Supervisor and create the remainder of the sources

After you full this step, the entry token can be saved in Secrets and techniques Supervisor and can routinely be used within the supplier definition throughout future runs of terraform apply.

1. Copy the service account token.

2. Paste it into the plaintext part of the Secrets and techniques Supervisor secret created within the earlier part

3. With the entry token saved in Secrets and techniques Supervisor, there isn’t a longer a necessity to limit the apply operation to the rotation module utilizing the --target flag. Use the next code to take away the restriction.

   supplier "grafana" {
     url  = "https://${aws_grafana_workspace.grafana.endpoint}"
     auth = module.grafana_sa_key_automation.grafana_sa_token
   }

Clear up

To keep away from incurring future expenses, use the next command to delete unused Amazon Managed Grafana service accounts and Terraform-managed sources run the cli command terraform destroy.

Safety notes

To guard the safety of your group, we advocate the next greatest practices:

• All the time observe least privilege rules. Grant the minimal permissions wanted to the service account (for instance, Editor as an alternative of Admin).
• Be sure that Amazon Easy Queue Service (Amazon SQS) queues, Secrets and techniques Supervisor secrets and techniques, and Amazon CloudWatch Logs are encrypted with a customer-managed KMS key if required by your group.
• Rotate secrets and techniques frequently to reduce publicity.

Conclusion

On this put up, we demonstrated learn how to migrate from API keys to Amazon Managed Grafana service account tokens utilizing Terraform, with safe storage in AWS Secrets and techniques Supervisor and non-obligatory automated token rotation through AWS Lambda.This contemporary strategy improves safety, scalability, and auditing in your automation pipelines.

For extra data, see the Amazon Managed Grafana service account documentation.

Concerning the authors