Integrating Grafana with GCP SSO Using Helm Values
Grafana with Single Sign-On (SSO) using Google Cloud Platform (GCP) APIs and services. By integrating SSO with GCP, users can securely access Grafana using their GCP credentials, streamlining authentication and improving overall security.
Helm Charts:
Prometheus and Grafana stack: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
Prerequisites
- Kubernetes 1.19+
- Helm 3+
Clone repo to your local:
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
Create Google OAuth keys
First, you need to create a Google OAuth Client:
- Go to https://console.developers.google.com/apis/credentials.
- Click Create Credentials, then click OAuth Client ID in the drop-down menu
- Enter the following:
- Application Type: Web Application
- Name: Grafana
- Authorized JavaScript Origins: https://grafana.mycompany.com
- Authorized Redirect URLs: https://grafana.mycompany.com/login/google
- Replace https://grafana.mycompany.com with the URL of your Grafana instance.
4. Click Create
5. Copy the Client ID and Client Secret from the ‘OAuth Client’ modal
Customize Helm Values:
Update your Helm values.yaml
file with the following changes:
grafana:
enabled: true
grafana.ini:
users:
viewers_can_edit: "True"
server:
root_url: https://grafana.yourdomain.com/
auth.google:
enabled: true
allow_sign_up: true
auto_login: false
client_id: CLIENT-ID
client_secret: CLIENT-SECRET
scopes: openid email profile
auth_url: https://accounts.google.com/o/oauth2/v2/auth
token_url: https://oauth2.googleapis.com/token
api_url: https://openidconnect.googleapis.com/v1/userinfo
allowed_domains: yourdomain.com
hosted_domain: yourdomain.com.
use_pkce: true
Deploy Prometheus and Grafana with Helm:
- Run the following Helm command to deploy Grafana with the customized values:
helm install [RELEASE_NAME] prometheus-community/kube-prometheus-stack -f values.yaml
- Replace
[RELEASE_NAME]
with your desired release name. - Ensure the
values.yaml
file is in the same directory from which you're executing the Helm command. - Port-forward to Grafana service to verify the SSO feature enabled
kubectl port-forward svc/grafana 3000:3000
- Try logging in with your domain email ID.
Note: SSO enables only View access. You can Configure role mapping for admino or editor level access.
To grant admin or Editor-level access to users, configure role mappings.
role_attribute_path = email=='admin@company.com' && 'Admin' || 'Viewer'
skip_org_role_sync = false
In the above example, the user with email admin@company.com
has been granted the Admin
role. All other users are granted the Viewer
role.