How to use service accounts in Azure Managed Grafana
Article
In this guide, learn how to use service accounts. Service accounts are used to run automated operations and authenticate applications in Grafana with the Grafana API.
Common use cases include:
Provisioning or configuring dashboards
Scheduling reports
Defining alerts
Setting up an external SAML authentication provider
Interacting with Grafana without signing in as a user
If your existing Grafana workspace doesn't have service accounts enabled, you can enable them by updating the preference settings of your Grafana instance.
In the Azure portal, under Settings, select Configuration, and then under API keys and service accounts, select Enable.
Select Save to confirm that you want to enable API keys and service accounts in Azure Managed Grafana.
Azure Managed Grafana CLI extension 0.3.0 or above is required. To update your extension, run az extension update --name amg.
Run the az grafana update command to enable the creation of API keys and service accounts in an existing Azure Managed Grafana instance. In the command below, replace <azure-managed-grafana-name> with the name of the Azure Managed Grafana instance to update.
az grafana update --name <azure-managed-grafana-name> ---service-account Enabled
Create a service account
Follow the steps below to create a new Grafana service account and list existing service accounts:
Go to your Grafana instance endpoint, and under Configuration, select Service accounts.
Select Add service account, and enter a Display name and a Role for your new Grafana service account: Viewer, Editor or Admin and select Create.
The page displays the notification Service account successfully created and some information about your new service account.
Select the back arrow sign to view a list of all the service accounts of your Grafana instance.
Run the az grafana service-account create command to create a service account. Replace the placeholders <azure-managed-grafana-name>, <service-account-name> and <role> with your own information.
Available roles: Admin, Editor, Viewer.
az grafana service-account create --name <azure-managed-grafana-name> --service-account <service-account-name> --role <role>
List service accounts
Run the az grafana service-account list command to get a list of all service accounts that belong to a given Azure Managed Grafana instance. Replace <azure-managed-grafana-name> with the name of your Azure Managed Grafana workspace.
az grafana service-account list --name <azure-managed-grafana-name> --output table
Run the az grafana service-account show command to get the details of a service account. Replace <azure-managed-grafana-name> and <service-account-name> with your own information.
az grafana service-account show --name <azure-managed-grafana-name> --service-account <service-account-name>
Add a service account token and review tokens
Once you've created a service account, add one or more access tokens. Access tokens are generated strings used to authenticate to the Grafana API.
To create a service account token, select Add token.
Use the automatically generated Display name or enter a name of your choice, and optionally select an Expiration date or keep the default option to set no expiry date.
Select Generate token, and take note of the token generated. This token will only be shown once, so make sure you save it, as loosing a token requires creating a new one.
Select the service account to access information about your service account, including a list of all associated tokens.
Create a new token
Create a Grafana service account token with az grafana service-account token create. Replace the placeholders <azure-managed-grafana-name>, <service-account-name> and <token-name> with your own information.
Optionally set an expiry time:
Parameter
Description
Example
--time-to-live
Tokens have an unlimited expiry date by default. Set an expiry time to disable the token after a given time. Use s for seconds, m for minutes, h for hours, d for days, w for weeks, M for months or y for years.
Take note of the generated token. This token will only be shown once, so make sure you save it, as loosing a token requires creating a new one.
List service account tokens
Run the az grafana service-account token list command to get a list of all tokens that belong to a given service account. Replace the placeholders <azure-managed-grafana-name> and <service-account-name> with your own information.
az grafana service-account token list --name <azure-managed-grafana-name> --service-account <service-account-name> --output table
Example of output:
Created Expiration HasExpired Name SecondsUntilExpiration
-------------------- -------------------- ------------ ------ ------------------------
2022-12-07T11:40:45Z 2022-12-08T11:40:45Z False token1 85890.870731556
2022-12-07T11:42:35Z 2022-12-22T11:42:35Z False token2 0
Edit a service account
In this section, learn how to update a Grafana service account in the following ways:
To edit the name, select the service account and under Information select Edit.
To edit the role, select the service account and under Information, select the role and choose another role name.
To disable a service account, select a service account and at the top of the page select Disable service account, then select Disable service account to confirm. Disabled service accounts can be re-enabled by selecting Enable service account.
The notification Service account updated is instantly displayed.
Edit a service account with az grafana service-account update. Replace the placeholders <azure-managed-grafana-name>, and <service-account-name> with your own information and use one or several of the following parameters:
Parameter
Description
--is-disabled
Enter --is-disabled true disable a service account, or --is-disabled false to enable a service account.
--name
Enter another name for your service account.
--role
Enter another role for your service account. Available roles: Admin, Editor, Viewer.
To disable a service account run the az grafana update command and use the option --is-disabled true. To enable a service account, use --is-disabled false.
az grafana update --service-account Disabled --name <service-account-name>
To delete a Grafana service account, select a service account and at the top of the page select Delete service account, then select Delete service account to confirm. Deleting a service account is final and a service account can't be recovered once deleted.
To delete a service account, run the az grafana service-account delete command. Replace the placeholders <azure-managed-grafana-name> and <service-account-name> with your own information.
az grafana service-account delete --name <azure-managed-grafana-name> --service-account <service-account-name>
To delete a service account token, select a service account and under Tokens, select Delete (x). Select Delete to confirm.
To delete a service account, run the az grafana service-account token delete command. Replace the placeholders <azure-managed-grafana-name>, <service-account-name> and <token-name> with your own information.
In this how-to guide, you learned how to create and manage service accounts and tokens to run automated operations in Azure Managed Grafana. When you're ready, explore more articles:
