admin
Installation
SKILL.md
Grafana Cloud Admin
Docs: https://grafana.com/docs/grafana-cloud/account-management/
Organization and Stack Structure
Grafana Cloud Account
└── Organization (billing unit)
├── Stack 1 (prod) → dedicated Grafana, Prometheus, Loki, Tempo URLs
├── Stack 2 (staging)
└── Stack 3 (dev)
- Organization: top-level account with billing, users, API keys, stacks
- Stack: dedicated Grafana + LGTM instance with its own URLs and credentials
User Roles
| Role | Scope | Permissions |
|---|---|---|
| Org Admin | Organization | Manage stacks, users, billing, API keys |
| Admin | Stack | Data sources, plugins, users, provisioning |
| Editor | Stack | Create/edit dashboards, alerts |
| Viewer | Stack | Read-only dashboards |
RBAC (Cloud / Enterprise)
# provisioning/access-control/roles.yaml
apiVersion: 1
roles:
- name: TeamDashboardEditor
description: Edit dashboards within team folder
permissions:
- action: dashboards:read
scope: folders:UID:team-folder
- action: dashboards:write
scope: folders:UID:team-folder
- action: dashboards:create
scope: folders:UID:team-folder
# provisioning/access-control/assignments.yaml
apiVersion: 1
roleAssignments:
- roleName: TeamDashboardEditor
users:
- alice@example.com
- bob@example.com
teams:
- platform-team
Service Accounts
Service accounts are the recommended way for programmatic access (CI/CD, Terraform, agents):
# Create service account via API
curl -X POST https://yourstack.grafana.net/api/serviceaccounts \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '{"name": "terraform-provisioner", "role": "Admin", "isDisabled": false}'
# Create token for service account
curl -X POST https://yourstack.grafana.net/api/serviceaccounts/{id}/tokens \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '{"name": "ci-token", "secondsToLive": 0}'
Provisioning via YAML:
# provisioning/access-control/service_accounts.yaml
apiVersion: 1
serviceAccounts:
- name: alloy-writer
orgId: 1
role: Editor
tokens:
- name: alloy-token
SSO / Auth Configuration
OAuth (grafana.ini)
[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = your_client_id
client_secret = your_client_secret
scopes = openid profile email groups
auth_url = https://your-org.okta.com/oauth2/v1/authorize
token_url = https://your-org.okta.com/oauth2/v1/token
api_url = https://your-org.okta.com/oauth2/v1/userinfo
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
groups_attribute_path = groups
SAML (Enterprise)
[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml/grafana.crt
private_key_path = /etc/grafana/saml/grafana.key
idp_metadata_path = /etc/grafana/saml/idp-metadata.xml
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_name = displayName
assertion_attribute_role = role
role_values_admin = grafana-admins
role_values_editor = grafana-editors
GitHub OAuth
[auth.github]
enabled = true
allow_sign_up = true
client_id = your_github_client_id
client_secret = your_github_client_secret
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = ["your-org"]
team_ids = [123456]
role_attribute_path = "Admin"
Cloud API for Stack Management
# List stacks
curl https://grafana.com/api/instances \
-H "Authorization: Bearer <grafana-com-api-key>"
# Create stack
curl -X POST https://grafana.com/api/instances \
-H "Authorization: Bearer <grafana-com-api-key>" \
-H "Content-Type: application/json" \
-d '{"name": "my-new-stack", "slug": "my-new-stack", "region": "us-east-0", "plan": "grafana-cloud-free"}'
# Delete stack
curl -X DELETE https://grafana.com/api/instances/{id} \
-H "Authorization: Bearer <grafana-com-api-key>"
Terraform Provider
terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = "~> 2.0"
}
}
}
provider "grafana" {
url = "https://yourstack.grafana.net"
auth = var.grafana_service_account_token
}
resource "grafana_team" "platform" {
name = "Platform Team"
email = "platform@example.com"
}
resource "grafana_user" "alice" {
email = "alice@example.com"
login = "alice"
name = "Alice"
password = "changeme"
}
resource "grafana_team_member" "platform_alice" {
team_id = grafana_team.platform.id
user_id = grafana_user.alice.id
}
resource "grafana_folder" "platform_dashboards" {
title = "Platform Dashboards"
}
resource "grafana_dashboard" "overview" {
folder = grafana_folder.platform_dashboards.uid
config_json = file("dashboards/overview.json")
}
Audit Logs
# Query audit logs (Enterprise/Cloud)
GET /api/admin/auditlogs?query=login&from=1706745600&to=1706832000&limit=50
Key Admin API Endpoints
# List org users
GET /api/org/users
# Invite user to org
POST /api/org/invites
{ "loginOrEmail": "user@example.com", "role": "Editor", "sendEmail": true }
# Update user org role
PATCH /api/org/users/{userId}
{ "role": "Admin" }
# List teams
GET /api/teams/search?name=platform
# Create team
POST /api/teams
{ "name": "Platform Team", "email": "platform@example.com" }
# Add user to team
POST /api/teams/{teamId}/members
{ "userId": 2 }
Related skills