Grafana is a powerful open-source platform for monitoring and observability, widely used for visualizing time-series data. One of the key aspects of managing a Grafana instance is ensuring secure access to its dashboards. Implementing OAuth authentication is a robust way to enhance security, and Google OAuth is a popular choice due to its widespread use and reliability. In this article, we’ll walk through the steps to integrate Google OAuth with Grafana.

Prerequisites

Before we begin, ensure you have the following:

1. A running Grafana instance. You can install Grafana using Docker, Kubernetes, or directly on your server.
2. Administrative access to your Google Cloud Platform (GCP) account.
3. Basic knowledge of OAuth 2.0 and Grafana configuration.

Step 1: Set Up Google OAuth Credentials

1. Access Google Cloud Console: Navigate to the Google Cloud Console.

2. Create a New Project: If you don’t have an existing project, create a new one by selecting the dropdown at the top and clicking “New Project.”

3. Enable APIs: Go to the “Library” section in the left sidebar and enable the “Google+ API” and “Google Identity Platform.”

4. Create OAuth Credentials:

   • Navigate to “APIs & Services” > “Credentials.”
   • Click “Create Credentials” and select “OAuth client ID.”
   • Configure the consent screen by providing necessary details like application name and support email.
   • Choose “Web application” as the application type.
   • Add authorized redirect URIs. For Grafana, this is typically http://<your-grafana-domain>/login/google.

5. Save Your Credentials: Once created, note down the Client ID and Client Secret. You will need these to configure Grafana.

Step 2: Configure Grafana for Google OAuth

1. Edit Grafana Configuration: Open the grafana.ini file, typically located in /etc/grafana/ or /usr/share/grafana/conf/.

2. Modify the [auth.google] Section:

   [auth.google]
   enabled = true
   client_id = YOUR_GOOGLE_CLIENT_ID
   client_secret = YOUR_GOOGLE_CLIENT_SECRET
   scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
   auth_url = https://accounts.google.com/o/oauth2/auth
   token_url = https://accounts.google.com/o/oauth2/token
   api_url = https://www.googleapis.com/oauth2/v1/userinfo
   allowed_domains = yourdomain.com
   

   Replace YOUR_GOOGLE_CLIENT_ID and YOUR_GOOGLE_CLIENT_SECRET with the values obtained from the Google Cloud Console. Set allowed_domains to restrict access to users from specific domains.

3. Restart Grafana: After saving the changes, restart the Grafana service to apply the new configuration:

   sudo systemctl restart grafana-server
   

Step 3: Test the Integration

1. Access Grafana: Open your Grafana instance in a web browser.

2. Login with Google: Click on the “Sign in with Google” button. You should be redirected to the Google login page.

3. Authorize Access: Log in with your Google account and authorize the application to access your profile information.

4. Verify Access: Upon successful authentication, you should be redirected back to Grafana and logged in.

Conclusion

Integrating Google OAuth with Grafana enhances security by leveraging Google’s robust authentication mechanisms. This setup not only simplifies user management but also provides a seamless login experience for users within your organization. Always ensure to keep your OAuth credentials secure and regularly review access permissions.

By following these steps, you can efficiently manage access to your Grafana dashboards, ensuring that only authorized users can view and interact with your data.

References

• Grafana Documentation on OAuth
• Google Cloud Console
• OAuth 2.0 Overview

Implementing OAuth is a crucial step in securing your monitoring infrastructure, and with Grafana’s support for various authentication providers, you can choose the one that best fits your organizational needs.