Migrating from API keys to service account tokens in Grafana dashboards utilizing Terraform

With the discharge of Grafana 9.4, Amazon Managed Grafana added help for service accounts, which have grow to be the really helpful authentication methodology for functions interacting with Amazon Managed Grafana, changing the earlier API key system.

Whereas API keys are created with a particular position that determines their degree of entry, service accounts supply a extra versatile and maintainable strategy. They help a number of tokens, might be enabled or disabled independently, and aren’t tied to particular person customers, permitting functions to stay authenticated even when a consumer is deleted. Permissions might be assigned on to service accounts utilizing role-based entry management, simplifying administration of long-lived entry for non-human entities like functions or scripts.

On this weblog submit, we stroll by way of the best way to migrate from API keys to service account tokens when automating Amazon Managed Grafana useful resource administration. We may even present the best way to securely retailer tokens utilizing AWS Secrets and techniques Supervisor and automate token rotation with AWS Lambda. All infrastructure is deployed utilizing Terraform, although the sample might be tailored to your infrastructure-as-code framework of alternative.

What are service accounts and tokens?

A service account is designed to authenticate automated instruments and programs with Amazon Managed Grafana and is meant for programmatic entry. A service account token is a safe credential issued to a service account and can be utilized to authenticate requests to the Amazon Managed Grafana HTTP API. A number of tokens might be related to a single service account, and tokens might be individually revoked or rotated with out affecting different companies or requiring adjustments to consumer accounts.

For a deeper understanding, see the Grafana service account documentation.

Answer overview

On this answer, we present you the best way to create a service account, reference it in your Terraform stack, after which implement rotation of the token related to it utilizing Lambda and Secrets and techniques Supervisor as proven within the following diagram:

Structure diagram illustrating the mixing between Terraform, AWS Secrets and techniques Supervisor secret retailer, and an Amazon Managed Grafana workspace, with secret rotation performance.

The next are the fundamental steps to arrange the answer.

1. Arrange Amazon Managed Grafana with service accounts.
2. Replace the key in Secrets and techniques Supervisor with the token worth.
3. Automate useful resource creation in Amazon Managed Grafana utilizing service account tokens in Terraform.
4. Create a service account and token in your Amazon Managed Grafana workspace.
5. Retailer the token securely utilizing Secrets and techniques Supervisor.
6. Use Terraform to automate Amazon Managed Grafana useful resource creation with the token.
7. Automate the rotation of the service account token.

GitHub repo for cloning the code and deploying the Terraform stack.

Conditions

Earlier than beginning this walkthrough, just remember to have the next:

Answer walkthrough

Use the next steps to arrange and configure the answer.

Provision sources utilizing the Terraform stack

The total supply code of the answer is in sample-migrate-from-apikeys-grafana and is deployed utilizing Terraform.

1. Clone the repository.

git clone https://github.com/aws-samples/sample-migrate-from-apikeys-grafana.git

2. Initialise a Terraform mission.

3. Create infrastructure for the secrets and techniques and the Amazon Managed Grafana occasion.

terraform apply —goal=aws_secretsmanager_secret.token —goal=aws_grafana_workspace.grafana

Retrieve service account token from the Amazon Managed Grafana workspace

It’s essential to have administrative privileges in your Amazon Managed Grafana workspace to carry out this step. This is applicable whether or not you’re utilizing IAM Identification Middle or an exterior id supplier for authentication.

1. To alter a consumer’s position in AWS IAM Identification Middle (console)
   1. Open the Amazon Managed Grafana console.
   2. Within the navigation pane, select Workspaces.
   3. Choose the workspace you wish to handle.
   4. On the AWS IAM Identification Middle, select the Assigned customers tab.
   5. Choose the row of the consumer that you just wish to modify.
   6. For Motion, select the next:
   7. Affirm the position change.

2. Choose the workspace URL and register utilizing your credentials, it is best to be capable of create a service account underneath the title grafana-sa (or the title of the variable outlined in /variables.tf).

3. Assign the Editor position to the service account to permit it to create dashboards and folders. Be taught extra about service account roles within the Assign roles to a service account in Grafana.
4. After the service account is created, add a service account token to it, once more the title needs to be much like the one outlined in /variables.tf.

Add the token to Secrets and techniques Supervisor and create the remainder of the sources

After you full this step, the entry token can be saved in Secrets and techniques Supervisor and can mechanically be used within the supplier definition throughout future runs of terraform apply.

1. Copy the service account token.

2. Paste it into the plaintext part of the Secrets and techniques Supervisor secret created within the earlier part

3. With the entry token saved in Secrets and techniques Supervisor, there isn’t a longer a necessity to limit the apply operation to the rotation module utilizing the --target flag. Use the next code to take away the restriction.

   supplier "grafana" {
     url  = "https://${aws_grafana_workspace.grafana.endpoint}"
     auth = module.grafana_sa_key_automation.grafana_sa_token
   }

Clear up

To keep away from incurring future costs, use the next command to delete unused Amazon Managed Grafana service accounts and Terraform-managed sources run the cli command terraform destroy.

Safety notes

To guard the safety of your group, we advocate the next finest practices:

• At all times observe least privilege ideas. Grant the minimal permissions wanted to the service account (for instance, Editor as an alternative of Admin).
• Make it possible for Amazon Easy Queue Service (Amazon SQS) queues, Secrets and techniques Supervisor secrets and techniques, and Amazon CloudWatch Logs are encrypted with a customer-managed KMS key if required by your group.
• Rotate secrets and techniques commonly to attenuate publicity.

Conclusion

On this submit, we demonstrated the best way to migrate from API keys to Amazon Managed Grafana service account tokens utilizing Terraform, with safe storage in AWS Secrets and techniques Supervisor and elective automated token rotation by way of AWS Lambda.This contemporary strategy improves safety, scalability, and auditing in your automation pipelines.

For extra data, see the Amazon Managed Grafana service account documentation.

Concerning the authors