Implementing Amazon Cognito Authentication for Grafana

In this guide, we’ll walk through implementing Amazon Cognito Authentication for Grafana.

There are 4 high-level key steps -?

1) Setting up Grafana on ubuntu EC2 instance.

2) Creating Amazon Cognito User Pool, App client.

3) Setting up Nginx Reverse Proxy and using Certbot for SSL ?

4) Updating Grafana Configurations to use Cognito Authentication

Let’s dive in.

Let's create a ubuntu machine and install necessary packages and Grafana on it.

sudo apt update -y
sudo apt install -y software-properties-common apt-transport-https wget        

Add Grafana APT Repository -

wget -q -O - https://packages.grafana.com/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/grafana-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/grafana-keyring.gpg] https://packages.grafana.com/oss/deb stable main" | sudo tee /etc/apt/sources.list.d/grafana.list        

Install Grafana -

sudo apt update -y
sudo apt install -y grafana        

Enable, start and verify Grafana Service -

sudo systemctl enable --now grafana-server
sudo systemctl status grafana-server        

Now, We will be creating a Route53 A record for your machine IP. This will help us further. I already have a domain name with me - awsverse.xyz

On AWS Console, go to Amazon Cognito Service. We will have to provide a name, a configuration option for sign-in identifiers and required attribute for sign up. We will be selecting email here as we want our users to use email to sign in.

Next, to create an app client, we will go to the "App integration" section, click "Create an app client", provide a name, configure authentication settings, and enable necessary OAuth flows. Finally, we will update the app client settings to allow required authentication flows and save the configuration.

Now we have created Amazon Cognito User Pool, App Client and have made necessary changes to the configurations.

We will be using Nginx as a reverse proxy. Nginx will handle client requests and forward them to the Grafana services while optimizing performance and security. In Callback URLs, only HTTPS is supported. So, For SSL/TLS encryption, we will use Certbot, a free and automated tool provided by Let’s Encrypt, to generate and manage SSL certificates. Certbot ensures that our remains secure by enabling HTTPS, encrypting data in transit. This setup enhances both security and performance, providing a seamless and secure user experience.

sudo apt update
sudo apt install nginx certbot python3-certbot-nginx -y        

Create a file /etc/nginx/sites-available/grafana.conf with the following content:

server {
    listen 80;
    server_name grafana.awsverse.xyz; 

    location / {
        proxy_pass https://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}        

Enable and test the configuration. Also, restart the nginx service again.

sudo ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx        

Use Certbot to generate and deploy the certificates. Below is the command the reference image is above.

sudo certbot --nginx -d grafana.awsverse.xyz         

We will be able to see the Grafana Login Page.

Now, we have to implement the Amazon Cognito Authentication. For that we need to make modifications in /etc/grafana/grafana.ini file.

Before that we check and configure a domain in the Amazon Cognito console.

Now, we will update the /etc/grafana/grafana.ini file. We will get all of these details from the Amazon Cognito Console. Here's how the grafana.ini file looks like after adding the AWS Cognito related configurations.

                                                                 
[server]
protocol = http
domain = grafana.awsverse.xyz
root_url = https://grafana.awsverse.xyz

[auth.generic_oauth]
enabled = true
name = AWS Cognito
allow_sign_up = true
client_id = jklmmqnbg0io75i0hh2eiu0u4
client_secret = 1qk7uhfoc1n7pmuqkstb3b99db1egs9m8i08funa2vheonormlkd
scopes = openid email profile
auth_url = https://us-east-1kagnausjg.auth.us-east-1.amazoncognito.com/oauth2/authorize
token_url = https://us-east-1kagnausjg.auth.us-east-1.amazoncognito.com/oauth2/token
api_url = https://us-east-1kagnausjg.auth.us-east-1.amazoncognito.com/oauth2/userInfo
allow_logout = true
state = false
login_redirect_url = https://grafana.awsverse.xyz/login/generic_auth
        

Save the file and restart the Grafana Service.

After that go to Amazon Cognito Console, and update the callback URL, logout URL and scope.

After that go to the Grafana webpage and refresh it. You will be able to see the option to sign in using Amazon Cognito.

When you click "Sign in with AWS Cognito", it will redirect you to the Managed Login Page of Amazon Cognito.

Now, we will go and create a user for us. The user will get confirm once we login.

Using the email id and password we will be able to login to the Grafana. Following is the URL which is redirect when we click "Sign in with Amazon Cognito"

https://us-east-1kagnausjg.auth.us-east-1.amazoncognito.com/login?client_id=jklmmqnbg0io75i0hh2eiu0u4&redirect_uri=https://grafana.awsverse.xyz/login/generic_oauth&response_type=code&scope=openid+email+profile&state=kUTZf4wwOSBkH3phoueLQTVA35jsy_ma0W2ItQ8gPrw%3D        

Here is how I have configured Authentication Method and Password Policy.

Also, I will uncheck the self registration option to restrict this Grafana access to the intended users only.

So, there is no create account option here on the login page now -

Cognito provides feature to use other identity provides and SSO capabilities. So, we can use those as well. We will see it in the future blog post.

Thank you for reading,

See you all in the next blog,

Best Regards,

Sankalp Sandeep Paranjpe