Grafana supports JWT based authentication, so it needs to be enabled:
snippet of grafana.ini:
[users]
allow_sign_up = false
auto_assign_org = true
[auth.jwt]
enabled = true
auto_sign_up = true
disable_signout_menu = true
username_claim = email
email_claim = email
# for extra verification, set to "Application Audience (AUD) Tag"
# which can be found in the app you create in Cloudflare Access
expect_claims = {"aud":"[AUDIENCE_TAG]"}
header_name = Cf-Access-Jwt-Assertion
jwk_set_url = https://[your-domain].cloudflareaccess.com/cdn-cgi/access/certs
The same config can be set via grafana helm chart's values.yaml:
grafana.ini:
auth.jwt:
enabled: true
auto_sign_up: true
disable_signout_menu: true
username_claim: email
email_claim: email
expect_claims: '{"aud":"[AUDIENCE_TAG]"}'
header_name: Cf-Access-Jwt-Assertion
jwk_set_url: https://[your-domain].cloudflareaccess.com/cdn-cgi/access/certs
users:
allow_sign_up: false
auto_assign_org: true
This was pretty helpful, but note that
disable_signout_menuis in the wrong place:https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#hide-sign-out-menu
It should just be under
[auth].