Cannot create sso config

Question

Cannot create sso config

ksawerykarwacki opened this issue 5 months ago · 6 comments

I tried to create sso config in Grafana Cloud:

apiVersion: oss.grafana.crossplane.io/v1alpha1
kind: SsoSettings
metadata:
  name: test-sso
spec:
  forProvider:
    oauth2Settings:
      - authUrl: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
        tokenUrl: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
        scopes: openid,email,profile
        name: Microsoft
        clientId: CLIENT_ID
        clientSecretSecretRef:
          key: CLIENT_SECRET
          name: azuread-secret
          namespace: observability
    providerName: azuread
  providerConfigRef:
    name: test-test

Using service account I get:

create failed: failed to create the resource: [{0 failed to create the
        SSO settings for provider azuread: [PUT /v1/sso-settings/{key}][401]
        updateProviderSettingsUnauthorized {"message":"Unauthorized"}  []}]

Using access policy token I get:

 create failed: failed to create the resource: [{0 the Grafana client is
        required for this resource. Set the auth and url provider attributes 
        []}]

I tried both global access policy with full scope for: stack-oauth and oauth-clients

And stack specific access policy with full scope for stack-oauth

Cloud Service account was set to Admin role.

Answer 1 · 2024-05-28T09:46:04.000Z

I figured it out. Default secret created by token ignores custom domain configured on the stack so it stores in instanceCredentials:

{"auth":"token","url":"https://slug.grafana.net"}

And it should store

{"auth":"token","url":"https://mydomain.example.com"}

Creating proper secret manually and passing it to ProviderConfig fix this issue.

This should be either documented or fixed.

Answer 2 · 2024-05-28T12:11:38.000Z

Additionally there is no way to configure oauth_allow_insecure_email_lookup which is required when loging using Grafana Cloud and external IDP using the same email.

Answer 3 · 2024-06-18T20:20:54.000Z

I'm try to do same config using terraform in RKE2 cluster:


resource "grafana_sso_settings" "azuread_sso_settings" {
  provider_name = "azuread"
  oauth2_settings {
    name                       = "Azure AD"
    auth_url                   = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
    token_url                  = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
    client_id                  = "APPLICATION_ID"
    client_secret              = "CLIENT_SECRET"
    allow_sign_up              = true
    auto_login                 = false
    scopes                     = "openid email profile"
    allowed_organizations      = "TENANT_ID"
    role_attribute_strict      = false
    allow_assign_grafana_admin = false
    skip_org_role_sync         = false
    use_pkce                   = true
  }
}

Error:

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

grafana_sso_settings.azuread_sso_settings: Creating...
╷
│ Error: failed to create the SSO settings for provider azuread: [PUT /v1/sso-settings/{key}] updateProviderSettings (status 404): {}
│ 
│   with grafana_sso_settings.azuread_sso_settings,
│   on grafana-ini.tf line 1, in resource "grafana_sso_settings" "azuread_sso_settings":
│    1: resource "grafana_sso_settings" "azuread_sso_settings" {
│ 
╵

Answer 4 · 2024-06-20T07:17:45.000Z

I'm try to do same config using terraform in RKE2 cluster:


resource "grafana_sso_settings" "azuread_sso_settings" {
  provider_name = "azuread"
  oauth2_settings {
    name                       = "Azure AD"
    auth_url                   = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
    token_url                  = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
    client_id                  = "APPLICATION_ID"
    client_secret              = "CLIENT_SECRET"
    allow_sign_up              = true
    auto_login                 = false
    scopes                     = "openid email profile"
    allowed_organizations      = "TENANT_ID"
    role_attribute_strict      = false
    allow_assign_grafana_admin = false
    skip_org_role_sync         = false
    use_pkce                   = true
  }
}

Error:

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

grafana_sso_settings.azuread_sso_settings: Creating...
╷
│ Error: failed to create the SSO settings for provider azuread: [PUT /v1/sso-settings/{key}] updateProviderSettings (status 404): {}
│ 
│   with grafana_sso_settings.azuread_sso_settings,
│   on grafana-ini.tf line 1, in resource "grafana_sso_settings" "azuread_sso_settings":
│    1: resource "grafana_sso_settings" "azuread_sso_settings" {
│ 
╵

Same issue here as well

Answer 5 · 2024-06-20T18:28:43.000Z

@kaiyuanlim

Do you have Grafana API enabled? It is mandatory!

Answer 6 · 2024-06-21T04:58:14.000Z

@kaiyuanlim

Do you have Grafana API enabled? It is mandatory!

Yup, that is how I was able to use terraform with grafana for other stuffs.