AWS authentication

    All requests to AWS APIs are performed on the server side by the Grafana backend using the official AWS SDK.

    This topic has the following sections:

    You can use one of the following authentication methods. Currently, , Credentials file and Access and secret key are enabled by default in open source Grafana. You can enable/disable them if necessary if you have server configuration access. For more information, refer to allowed_auth_providers documentation.

    • Access and secret key corresponds to the and uses the given access key ID and secret key to authenticate. This method doesn’t have any fallbacks, and will fail if the provided key pair doesn’t work.

    • Workspace IAM role corresponds to the EC2RoleProvider. The EC2RoleProvider pulls credentials for a role attached to the EC2 instance that Grafana runs on. You can also achieve this by using the authentication method AWS SDK Default, but this option is different as it doesn’t have any fallbacks. This option is currently only enabled by default in Amazon Managed Grafana.

    The Assume Role ARN field allows you to specify which IAM role to assume. When left blank, the provided credentials are used directly and the associated role or user should have the required permissions. If this field is non-blank, on the other hand, the provided credentials are used to perform an sts:AssumeRole call.

    You can disable this feature in the Grafana configuration. For more information, refer to documentation.

    The Endpoint field allows you to specify a custom endpoint URL that overrides the default generated endpoint for the AWS service API. Leave this field blank if you want to use the default generated endpoint. For more information on why and how to use Service endpoints, refer to the AWS service endpoints documentation.

    Create a file at . That is the HOME path for user running grafana-server.

    Example content:

    1. securityContext:
    2.   fsGroup: 472