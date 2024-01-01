Version: 18.x

Using JWT Authentication with Grafana

This guide will help you configure Grafana JWT authentication with Teleport.

Teleport issues short-lived JWTs and injects them into each proxied request to Grafana. Grafana is configured to trust Teleport’s JWT signer, allowing it to verify the user’s identity and retrieve role information from the Teleport-signed token.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Access to main config of your Grafana instance

Add an auth.jwt section in Grafana’s main configuration file. Replace teleport.example.com with the domain name of your Teleport cluster:

[auth.jwt] enabled = true header_name = Authorization jwk_set_url = https:// teleport.example.com /.well-known/jwks.json username_claim = sub role_attribute_path = contains(roles[*], 'editor' ) && 'Editor' || 'Viewer' auto_sign_up = true

Restart your Grafana instance after updating the config.

You can register the Grafana application in Teleport by defining it in your Teleport Application Service configuration, or by using dynamic registration with tctl or Terraform. Assign http://grafana.example.com:3000 to the domain of your Grafana instance:

Static configuration

tctl

Terraform Add an application entry in your Teleport Application Service configuration file, teleport.yaml : app_service: enabled: true apps: - name: "grafana" uri: app URI rewrite: headers: - "Authorization: Bearer {{internal.jwt}} " Restart the Teleport Application service. Create an app resource definition file named app-grafana.yaml : kind: app version: v3 metadata: name: grafana spec: uri: app URI rewrite: headers: - name: "Authorization" value: "Bearer {{internal.jwt}} " Create the app resource with: tctl create -f app-grafana.yaml Create a teleport_app resource in terraform: resource "teleport_app" "grafana" { version = "v3" metadata = { name = "grafana" labels = { "teleport.dev/origin" = "dynamic" } } spec = { uri = " app URI " rewrite = { headers = [{ name = "Authorization" value = "Bearer {{internal.jwt}}" }] } } } Apply the configuration: terraform apply

The header rewrite configuration above will replace the {{internal.jwt}} template variable with a Teleport-signed JWT token in each request.

Log in to your Teleport cluster in your browser at https:// teleport.example.com .

In the Resources tab, locate the grafana application and click Launch.

Grafana will open and you should be automatically logged in as your Teleport user. You can verify this by clicking your profile icon in the upper-right corner.