Feature: Support workload identity federation #226
Labels
type/feature-request
New feature or request
Comments
|
Totally agree, we need another option. Most Grafana instances are shared between teams that use different projects so GCE metadata is not an option. Service account keys are insecure to handle. OIDC token / WIF would be the preferred option, just as Github Action has implemented it towards GCP. Similar to Github Actions we could then configure a workload identity provider that does an assertion on the Grafana ORG where the request comes from. |
Would be a excellent feature from a auditing point of view as we would presumably know the grafana user running the query |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the options for authenticating are provide a private key, or use gce metadata. We'd like to remove all instances of private keys for security reasons, and https://cloud.google.com/iam/docs/workload-identities is the way to do this.
If you select GCE metadata, i believe it will actually pull from the environment the credentials file and be able to use any workload identity configured in that file, but that grants grafana one identity. We have situations where we need different datasources to have different identities so this does not solve our problem.
What we would actually want is a way to pass in a configuration file to the datasource, and have that datasource use the configuration passed in.
The text was updated successfully, but these errors were encountered: