ysde/grafana-backup-tool

Unable to use the token generated by Grafana's Service accounts to restore data

ilanni2460 opened this issue · 9 comments

grafana version: 9.4.7

Unable to use the token generated by Grafana's Service accounts to restore data

This is the error log for recovery using the token produced by grafana's Service account:

`
[Pre-Check] grafana health check: http://192.168.5.128:3000/api/health
[DEBUG] resp status: 200
[DEBUG] resp body: {'commit': '4add91f03d', 'database': 'ok', 'version': '9.4.7'}

[Pre-Check] grafana auth check: http://192.168.5.128:3000/api/auth/keys
[DEBUG] resp status: 401
[DEBUG] resp body: {'message': 'invalid API key', 'traceID': ''}

`

grafana

Oh, by the way, if you still use the original API Keys, you can restore the data normally.

same issue, Service Account keys are not accepted, old API keys are fine. Grafana will deprecate API keys soon, in favor of Service Accounts

ysde commented

Hi @tasiotas @ilanni2460

Thanks for bring up this issue, the original api usage mentioned in Grafana's document is using API key.

Has any latest Grafana documents mentioned about the service account keys can be used for calling Grafana api ?

Many thanks

Hi!
Could you please clarify, is it planned to support Service accounts? As mentioned in docs "You can use service access tokens the same way as API Keys, for example to access Grafana HTTP API programmatically."

Hi. I tried on Grafana 9.5.2 to make a grafana backup & restore process using Service Account Token instead a API Key and for me works with any problem.

[Pre-Check] grafana health check: http://monitoring-grafana.monitoring.svc.cluster.local/api/health
[DEBUG] resp status: 200
[DEBUG] resp body: {'commit': 'cfcea75916', 'database': 'ok', 'version': '9.5.2'}

[Pre-Check] grafana auth check: http://monitoring-grafana.monitoring.svc.cluster.local/api/auth/keys
[DEBUG] resp status: 200
[DEBUG] resp body: []

Hi, Am also facing same issue am using Amazon Managed Grafana with workspace version 9.4. It would be great if we can add a support for Service Accounts tokens

1.4.2 works for me with a service account token on Grafana v10.0.2, but I had to give admin permissions to the service account (which I really don't want to) even to download dashboards, otherwise it fails with


[DEBUG] resp status: 403
[DEBUG] resp body: {'accessErrorId': 'ACE6843877355', 'message': "You'll need additional permissions to perform this action. Permissions needed: apikeys:read", 'title': 'Access denied'}

Hello - I face the same issue here - and am stuck. @nemobis : could you share how you defined the users in the grafanaSettings.json file? I have a grafana user, that has admin rights in the service settings. However, when I fill this users and its password into the json file - I still get the response below.

`[Pre-Check] grafana health check: http://localhost:3000/api/health
[DEBUG] resp status: 200
[DEBUG] resp body: {'commit': 'd3ce857c0eb86f571ffa993a9cd8493b6f47b630', 'database': 'ok', 'version': '10.4.1'}

[Pre-Check] grafana auth check: http://localhost:3000/api/auth/keys
[DEBUG] resp status: 403
[DEBUG] resp body: {'accessErrorId': 'ACE3900241993', 'message': "You'll need additional permissions to perform this action. Permissions needed: apikeys:read", 'title': 'Access denied'}
`

@martintamke Unfortunately I don't remember. According to my internal docs, I ended up using gdg instead (I've not tried on later versions of Grafana).

Did you use a user or a service account token? I'm not sure whether it matters.