Sophisticated Dashboards

Introduction

Grafana is a popular open-source software that allows you to visualize your data. AWS Cognito (see video) is designed to deal with user management, authentication/authorization.

Problem

You are setting up Grafana in AWS for your organization. You want to avoid the hassle of adding and managing users in Grafana.

Goal

You want to use Cognito to login to Grafana. By default there are 3 roles available in Grafana - Admin, Editor and Viewer. You want to map the Cognito user groups with the corresponding roles in Grafana.

Prerequisites / Assumptions

In this blog, I am assuming you know how to do the following:

• Provision a Grafana instance in AWS
• Provision a Cognito user pool in AWS

Configuration

Grafana

In order to configure Grafana, first we have to edit grafana.ini and enable generic_auth there. To map Grafana roles, edit line number 10. Grafana uses JMeshPath to maps roles from the response it gets from Cognito after a successful login.


1. [auth.generic_oauth]
2. enabled = true
3. name = OAuth
4. allow_sign_up = true
5. client_id =
6. scopes =
7. auth_url =
8. token_url =
9. api_url =
10. role_attribute_path = "cognito:roles" | contains([*], 'arn:aws:iam:::role/') && 'Admin' || 'Editor'

Cognito

For Cognito, you have to configure the App client as shown below.

Important Things to Note

• Make sure the Grafana instance is hosted on https domain
• Callback URL domain in Cognito match the Grafana domain
• Make sure the OAuth scope are enabled as above
• App client shown in the picture should be entered in grafana.ini as client_id in [auth.generic_oauth] section (see above)

About CloudAEye Observability

CloudAEye is building an observability platform that brings together logs, metrics, traces for your operations team. It enables setup of enterprise grade observability in minutes. If you want to let someone else maintain the observability platform for you, please join our Early Access.