Closed ksawerykarwacki closed 2 months ago
I figured it out. Default secret created by token ignores custom domain configured on the stack so it stores in instanceCredentials:
{"auth":"token","url":"https://slug.grafana.net"}
And it should store
{"auth":"token","url":"https://mydomain.example.com"}
Creating proper secret manually and passing it to ProviderConfig fix this issue.
This should be either documented or fixed.
Additionally there is no way to configure oauth_allow_insecure_email_lookup
which is required when loging using Grafana Cloud and external IDP using the same email.
I'm try to do same config using terraform in RKE2 cluster:
resource "grafana_sso_settings" "azuread_sso_settings" {
provider_name = "azuread"
oauth2_settings {
name = "Azure AD"
auth_url = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
token_url = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
client_id = "APPLICATION_ID"
client_secret = "CLIENT_SECRET"
allow_sign_up = true
auto_login = false
scopes = "openid email profile"
allowed_organizations = "TENANT_ID"
role_attribute_strict = false
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_pkce = true
}
}
Error:
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.
Enter a value: yes
grafana_sso_settings.azuread_sso_settings: Creating...
╷
│ Error: failed to create the SSO settings for provider azuread: [PUT /v1/sso-settings/{key}] updateProviderSettings (status 404): {}
│
│ with grafana_sso_settings.azuread_sso_settings,
│ on grafana-ini.tf line 1, in resource "grafana_sso_settings" "azuread_sso_settings":
│ 1: resource "grafana_sso_settings" "azuread_sso_settings" {
│
╵
I'm try to do same config using terraform in RKE2 cluster:
resource "grafana_sso_settings" "azuread_sso_settings" { provider_name = "azuread" oauth2_settings { name = "Azure AD" auth_url = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize" token_url = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token" client_id = "APPLICATION_ID" client_secret = "CLIENT_SECRET" allow_sign_up = true auto_login = false scopes = "openid email profile" allowed_organizations = "TENANT_ID" role_attribute_strict = false allow_assign_grafana_admin = false skip_org_role_sync = false use_pkce = true } }
Error:
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.
Enter a value: yes
grafana_sso_settings.azuread_sso_settings: Creating... ╷ │ Error: failed to create the SSO settings for provider azuread: [PUT /v1/sso-settings/{key}] updateProviderSettings (status 404): {} │ │ with grafana_sso_settings.azuread_sso_settings, │ on grafana-ini.tf line 1, in resource "grafana_sso_settings" "azuread_sso_settings": │ 1: resource "grafana_sso_settings" "azuread_sso_settings" { │ ╵
Same issue here as well
@kaiyuanlim
Do you have Grafana API enabled? It is mandatory!
@kaiyuanlim
Do you have Grafana API enabled? It is mandatory!
Yup, that is how I was able to use terraform with grafana for other stuffs.
I tried to create sso config in Grafana Cloud:
Using service account I get:
Using access policy token I get:
I tried both global access policy with full scope for:
stack-oauth
andoauth-clients
And stack specific access policy with full scope for
stack-oauth
Cloud Service account was set to Admin role.