Using AWS KMS to encrypt database secrets

    Prerequisites:

    • An AWS account with permission to view and create KMS keys and programmatic credentials to access those keys
    • Access to the Grafana configuration file

    1. Create a symmetric API key either from the AWS Management Console or by using the AWS KMS API.

      For detailed instructions, refer to .

    2. Retrieve the Key ID.

      In AWS terms, this can be a key ID, a key ARN (Amazon Resource Name), an alias name, or an alias ARN. For more information about how to retrieve a key ID from AWS, refer to Finding the key ID and key ARN.

    3. Create a (access key ID and secret access key), which has permission to view the key that you created.

      In AWS, you can control access to your KMS keys by using key policies, , and grants. You can also create , which must provide a session token along with an access key ID and a secret access key.

    5. Update the [security] section of the configuration file with the new Encryption Provider key that you created:

      1. [security]
      2. secret_key = AaaaAaaa
      3. # encryption provider key in the format <PROVIDER>.<KEY_NAME>
      4. encryption_provider = awskms.example-encryption-key
      5. # list of configured key providers, space separated
      6. available_encryption_providers = awskms.example-encryption-key

      > Note: The encryption key that is stored in the field is still used by Grafana’s legacy alerting system to encrypt secrets, for decrypting existing secrets, or it is used as the default provider when external providers are not configured. Do not change or remove that value when adding a new KMS provider.

    6. Restart Grafana.