I’m trying to configure auth.generic_oauth with AWS Cognito for Grafana 10.0.1 on Ubuntu 22.04 on AWS.
I added the code in /etc/grafana/grafana.ini to allow cognito login
[server]
protocol = http
domain = ec2-00-00-000-00.eu-west-1.compute.amazonaws.com
root_url = http://ec2-00-00-000-00.eu-west-1.compute.amazonaws.com:3000
[database]
type = mysql
host = mariadb_instance_address:3306
name = grafana
user = grafana
password = ****
[auth]
login_maximum_inactive_lifetime_duration = 12h
login_maximum_lifetime_duration = 24h
disable_login_form = true
[auth.generic_oauth]
enabled = true
allow_sign_up = true
auto_login = false
client_id = xxxxxxxxxxxxxxxxxxxxxxx
client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_pool_id = eu-west-1_xxxxx
region = eu-west-1
allow_sign_up = false
allowed_groups = "arn:aws:cognito:eu-west-1:0000000000:userpool/eu-west-1_xxxxxx:group/grafana-read", "arn:aws:cognito:eu-west-1:0000000000:userpool/eu-west-1_xxxxxx:group/grafana-admin"
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'
But when I try to login the page continue to redirect to login page
No errors in the log fils
I used the guide below:
You are using config options, which I don’t see in the doc, e. g. user_pool_id and your are not using options which are in the doc, e. g. auth_url, token_url,… Why?
Search forum for cognito: Search results for 'cognito' - Grafana Labs Community Forums
BTW: you are not using https, which is huge security risk in this case
thanks for the reply.
The problem is I’m using ALB with certificate generated by AWS, and I can’t set it on EC2 instances, but only to ALB.
I have two Grafana Nodes back ALB.
How can configure the [server] section for each nodes?
[server]
protocol = http
domain = ec2-00-000-000-000.eu-west-1.compute.amazonaws.com
root_url = http://ec2-00-000-000-000.eu-west-1.compute.amazonaws.com/generic_oauth
serve_from_sub_path = true
Thanks for the help.
I solved configuring my grafana.ini in as below:
[server]
protocol = http
http_port = 3000
domain = alb_fqdn
root_url = https://alb_fqdn/
router_logging = true
[auth]
login_cookie_name = grafana_session
login_maximum_inactive_lifetime_duration = 12h
login_maximum_lifetime_duration = 24h
disable_login_form = true
disable_signout_menu = false
signout_redirect_url = https://cognito_domain/logout?client_id=cognito_client_id&logout_uri=https://alb_fqdn/login
oauth_auto_login = false
[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
auto_login = false
client_id = cognito_client_id
client_secret = cognito_client_secret
scopes = email aws.cognito.signin.user.admin openid profile
auth_url = https://cognito_domain/oauth2/authorize
token_url = https://cognito_domain/oauth2/token
api_url = https://cognito_domain/oauth2/userInfo
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'
On AWS Cognito I set:
Allowed callback URLs: https://alb_fqdn/login/generic_oauth
Allowed sign-out URLs: https://alb_fqdn/login
Now I can login successfully.
I only have a problem with role mapping.
I created a Cognito group named grafana-admin where I’m a member, but when I connect to grafana I receive the error:
logger=oauth.generic_oauth t=2023-07-07T12:50:43.858454876Z level=warn msg="No valid role found. Skipping role sync. In Grafana 10, this will result in the user being assigned the default role and overriding manual assignment. If role sync is not desired, set skip_org_role_sync for your provider to true"
I solved updating as below:
role_attribute_path = ("cognito:groups" | contains([*], 'grafana-admin') && 'Admin' || 'Viewer')
But now all Cognito users have access as Viewer in Grafana, is there a way to allow only the users in a specific groups?
Ok fixed:
role_attribute_path = ("cognito:groups" | contains([*], 'grafana-admin') && 'Admin' || contains([*], 'grafana-viewer') && 'Viewer' )
role_attribute_strict = true
Note:
8grafana-admin* and grafana-viewer are the groups name created on AWS Cognito
