Setting Keycloak as an authentication provider in Grafana (SSO)

Introduction

Keycloak OAuth2 authentication allows users to log in to Grafana using their Keycloak credentials.

1.1. Created a seperate realm named kbt-developers.

1.2. Created a new client named kbt-internal-communication inside the realm kbt-developers. Enter the details as below and click on save.

client1
client2
Figure 1. client settings on keycloak for grafana

1.3. Turn On client authentication and select theme as kblogin for login screen.

client cred
Figure 2. client_cred

1.4. Created a client scope named grafana with the follwing details and click on save.

client scopes
Figure 3. client_scope

1.5. On mappers section , Click on Add mapper By configuration and select User Realm Role. Inside that give token claim name as roles and click on save.

cient scope mappers
Figure 4. cient_scope_mappers

1.6. Create a realm roles for admin,editor and viewer for giving permissions to the users.

realm roles
Figure 5. realm_roles

1.7. Created three users and given different permission to different users. Click on save.

users
Figure 6. users

1.8. Go to Attributes tab and credentials tab & make changes as follows,

backend_access: yes
Credentials   : kbt

1.9. Assign role to the user as viewer

User role

1.10. Create a group named kbt-internal and add users to this group.

users in group
scope mappers
Figure 7. scope_mappers

2. Task definition for running grafana.

2.1. Creation of task definition on the ECS EC2 cluster with the follwing environment variables.

sso taskenv1
sso taskenv2
Figure 8. task_env_var

2.2. Created a service for the task definition and route target for /grafana/login on Internet-facing load balancer to access the UI.

target group
Figure 9. target_group

2.3. Created a Route 53 record name for the particular load balancer.

route53 record
Figure 10. route53_record

2.4. Access the URL https://logs.kanilebettu.in/grafana/ & sign in with keycloak OAuth & give credentials as of on step:1.8.

Note: If the user is having the specific role like admin/editor/viewer only he can access the grafana, otherwise he can’t able to access.

grafana login
Figure 11. grafana_login