Skip to content

Instantly share code, notes, and snippets.

@mhr3
Last active October 9, 2024 01:13
Show Gist options
  • Save mhr3/f741ffa71f4dfa0152a6020758042c32 to your computer and use it in GitHub Desktop.
Save mhr3/f741ffa71f4dfa0152a6020758042c32 to your computer and use it in GitHub Desktop.
Authenticate to Grafana using Cloudflare Access

Grafana supports JWT based authentication, so it needs to be enabled:

snippet of grafana.ini:

[users]
allow_sign_up = false
auto_assign_org = true

[auth.jwt]
enabled = true
auto_sign_up = true
disable_signout_menu = true
username_claim = email
email_claim = email
# for extra verification, set to "Application Audience (AUD) Tag"
# which can be found in the app you create in Cloudflare Access
expect_claims = {"aud":"[AUDIENCE_TAG]"}
header_name = Cf-Access-Jwt-Assertion
jwk_set_url = https://[your-domain].cloudflareaccess.com/cdn-cgi/access/certs

The same config can be set via grafana helm chart's values.yaml:

grafana.ini:
  auth.jwt:
    enabled: true
    auto_sign_up: true
    disable_signout_menu: true
    username_claim: email
    email_claim: email
    expect_claims: '{"aud":"[AUDIENCE_TAG]"}'
    header_name: Cf-Access-Jwt-Assertion
    jwk_set_url: https://[your-domain].cloudflareaccess.com/cdn-cgi/access/certs
  users:
    allow_sign_up: false
    auto_assign_org: true
@valankar
Copy link

valankar commented May 2, 2024

This was pretty helpful, but note that disable_signout_menu is in the wrong place:

https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#hide-sign-out-menu

It should just be under [auth].

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment