Create free account Contact us

Products

Grafana Cloud

Monitor, analyze, and act faster with AI-powered observability.

Grafana Cloud
Grafana Cloud overview

LGTM+ Stack

Grafana Cloud Logs

Logs

powered by Grafana Loki

Grafana

Grafana

for visualization

Grafana Cloud Traces

Traces

powered by Grafana Tempo

Grafana Cloud Metrics

Metrics

powered by Grafana Mimir and Prometheus

Key Capabilities

AI/ML

AI/ML insights

Identify anomalies and reduce toil

Grafana Cloud Asserts

Contextual root cause analysis

Automated anomaly correlation

Grafana SLO

SLO management

Create SLOs and error budget alerts

Grafana Alerting

Alerting

Trigger alerts from any data source

Plugins

Plugins

Connect Grafana to data sources, apps, and more

Observability Solutions

Application Observability

Application Observability

Monitor application performance

Infrastructure Observability

Infrastructure observability

Ensure infrastructure health and performance

Testing

Grafana Cloud k6

Performance testing

Powered by Grafana k6

Synthetic Monitoring

Synthetic Monitoring

powered by Grafana k6

IRM

Incident

Incident response

Routine task automation for incidents

OnCall

On-call management

Flexible on-call management

Open Source

Grafana Loki

Multi-tenant log aggregation system

Grafana

Query, visualize, and alert on data

Grafana Tempo

High-scale distributed tracing backend

Grafana Mimir

Scalable and performant metrics backend

Grafana Pyroscope

Scalable continuous profiling backend

Grafana Beyla

eBPF auto-instrumentation

Grafana Faro

Frontend application observability web SDK

Grafana Alloy

OpenTelemetry Collector distribution with Prometheus pipelines

Grafana k6

Load testing for engineering teams

Prometheus

Monitor Kubernetes and cloud native

OpenTelemetry

Instrument and collect telemetry data

Graphite

Scalable monitoring for time series data

All

Community resources

Dashboard templates

Try out and share prebuilt visualizations

Prometheus exporters

Get your metrics into Prometheus quickly

end-to-end solutions

Opinionated solutions that help you get there easier and faster

Kubernetes Monitoring

Get K8s health, performance, and cost monitoring from cluster to container

Application Observability

Monitor application performance

Frontend Observability

Gain real user monitoring insights

Incident Response & Management

Detect and respond to incidents with a simplified workflow

All monitoring and visualization solutions

monitor infrastructure

Out-of-the-box KPIs, dashboards, and alerts for observability

linux server logo
Linux
windows logo
Windows
docker logo
Docker
postgresql logo
Postgres
mysql logo
MySQL
aws logo
AWS
kafka logo
Kafka
jenkins logo
Jenkins
rabbitmq logo
RabbitMQ
mongodb logo
MongoDB
microsoft azure observability logo
Microsoft Azure
google cloud observability with grafana cloud logo
Google Cloud
All monitoring solutions

visualize any data

Instantly connect all your data sources to Grafana

mongodb logo
MongoDB
appdynamics logo
AppDynamics
oracle database logo
Oracle
gitlab logo
GitLab
jira logo
Jira
salesforce logo
Salesforce
splunk logo
Splunk
datadog logo
Datadog
new relic logo
New Relic
snowflake logo
Snowflake
All visualization solutions

Learn

Community and events

Events

Upcoming in-person and virtual events

ObservabilityCON 2025 (7-9 Oct)

Our flagship observability event

GrafanaCON 2025

Our annual OSS community conference

ObservabilityCON on the Road

Our observability conference on the road

Community

Join the Grafana community

Community forums

Ask the community for help

Resources

Blog

News, releases, cool stories, and more

Observability survey report 2025

Industry insights on the state of observability

Benefits of Observability

New research, reports, and insights

Success stories

By use case, product, and industry

How-to

Documentation

All the docs

Webinars and videos

Demos, webinars, and feature tours

Tutorials

Step-by-step guides

Workshops

Free, in-person or online

Learning Journeys

Expert guidance for mastering our platform

Professional Services

Expert guidance and training

Docs
Pricing

Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

Sign in

Grafana Cloud

Monitor, analyze, and act faster with AI-powered observability.

Grafana Cloud
Grafana Cloud overview

LGTM+ Stack

Grafana Cloud Logs

Logs

Grafana

Grafana

Grafana Cloud Traces

Traces

Grafana Cloud Metrics

Metrics

Key Capabilities

AI/ML

AI/ML insights

Grafana Cloud Asserts

Contextual root cause analysis

Grafana SLO

SLO management

Grafana Alerting

Alerting

Plugins

Plugins

Observability Solutions

Application Observability

Application Observability

Infrastructure Observability

Infrastructure observability

Testing

Grafana Cloud k6

Performance testing

Synthetic Monitoring

Synthetic Monitoring

IRM

Incident

Incident response

OnCall

On-call management

The actually useful free plan

Grafana Cloud Free Tier
check

10k series Prometheus metrics

check

50GB logs, 50GB traces, 50GB profiles

check

500VUk k6 testing

check

20+ Enterprise data source plugins

check

100+ pre-built solutions

Create account
Grafana Cloud Logs

Grafana Loki

Multi-tenant log aggregation system

Grafana

Grafana

Query, visualize, and alert on data

Grafana Cloud Traces

Grafana Tempo

High-scale distributed tracing backend

Grafana Cloud Metrics

Grafana Mimir

Scalable and performant metrics backend

Grafana Cloud Profiles

Grafana Pyroscope

Scalable continuous profiling backend

Grafana Beyla

eBPF auto-instrumentation

Grafana Faro

Grafana Faro

Frontend application observability web SDK

Grafana Alloy

Grafana Alloy

OpenTelemetry Collector distribution with Prometheus pipelines

Grafana Cloud k6

Grafana k6

Load testing for engineering teams

Prometheus

Prometheus

Monitor Kubernetes and cloud native

OpenTelemetry

OpenTelemetry

Instrument and collect telemetry data

Graphite

Graphite

Scalable monitoring for time series data

All

Community resources

Dashboard templates
Try out and share prebuilt visualizations
Prometheus exporters
Get your metrics into Prometheus quickly

end-to-end solutions

Opinionated solutions that help you get there easier and faster

Kubernetes Monitoring

Kubernetes Monitoring

Get K8s health, performance, and cost monitoring from cluster to container

Application Observability

Application Observability

Monitor application performance

Frontend Observability

Frontend Observability

Gain real user monitoring insights

Incident Response & Management

Incident Response & Management

Detect and respond to incidents with a simplified workflow

monitor infrastructure

Out-of-the-box KPIs, dashboards, and alerts for observability

linux server logo Linux
windows logo Windows
docker logo Docker
postgresql logo Postgres
mysql logo MySQL
aws logo AWS
kafka logo Kafka
jenkins logo Jenkins
rabbitmq logo RabbitMQ
mongodb logo MongoDB
microsoft azure observability logo Microsoft Azure
google cloud observability with grafana cloud logo Google Cloud

visualize any data

Instantly connect all your data sources to Grafana

mongodb logo MongoDB
appdynamics logo AppDynamics
oracle database logo Oracle
gitlab logo GitLab
jira logo Jira
salesforce logo Salesforce
splunk logo Splunk
datadog logo Datadog
new relic logo New Relic
snowflake logo Snowflake
All monitoring and visualization solutions

Community and events

Events

ObservabilityCON 2025 (7-9 Oct)

GrafanaCON 2025

ObservabilityCON on the Road

Community

Community forums

Resources

Blog

Observability survey report 2025

Benefits of Observability

Success stories

How-to

Documentation

Webinars and videos

Tutorials

Workshops

Learning Journeys

Professional Services

Featured webinar

Getting started with grafana LGTM stack

Getting started with managing your metrics, logs, and traces using Grafana

Learn how to unify, correlate, and visualize data with dashboards using Grafana.

Secure credential storage for your observability stack: Introducing secrets management in Grafana Cloud

Secure credential storage for your observability stack: Introducing secrets management in Grafana Cloud

2025-08-20 6 min

The more your infrastructure grows, the more likely you are to face a familiar challenge: where to safely store the API keys, passwords, and tokens that power your observability stack. 

Unfortunately, a common response to this dilemma is to scatter credentials across configurations, making security and management of secrets increasingly complex. The problem is only compounded by modern observability setups that involve distributed services, API integrations, and collaborative teams—all requiring secure access to sensitive information.

That’s why we’re launching secrets management in Grafana Cloud. Currently in public preview, it’s designed to be the foundation for securing all your credentials in Grafana. And we aren’t just adding another feature with secrets management; we’re solving the credential management problem that every growing team faces by delivering these key benefits:

  • Centralized credential storage with enterprise-grade encryption
  • Reference-based secrets access 
  • Granular access controls
  • Complete audit trail of secret usage

In this blog, we’ll show you how we’re starting this rollout with Grafana Cloud Synthetic Monitoring and how you can implement it today. We’ll also give you a look behind the scenes to show how we’re developing this new functionality.

Secrets management in action: public preview for Synthetic Monitoring

The first product in Grafana Cloud to integrate with our new secrets manager is Synthetic Monitoring. This has been a highly requested feature that delivers clear and immediate value for users, so let’s look at how this changes what you can do in Synthetic Monitoring.  

The old way: embedded credentials   

If you’re running Synthetic Monitoring checks, you’ve likely faced this scenario:

const bearerToken = 'abc123-hardcoded-token-visible-to-everyone'; 
const response = http.get('https://api.example.com/data', { 
  headers: { 'Authorization': `Bearer ${bearerToken}` } 
});

There are several problems with this approach:

  • Credentials are visible in the checks.
  • Team collaboration requires sharing sensitive values.
  • There’s no audit trail of credential usage.

The new way: secret references

const bearerToken = await secrets.get('my-token'); 
const response = http.get('https://api.example.com/data', { 
  headers: { 'Authorization': `Bearer ${bearerToken}` } 
});

With secrets management in Grafana Cloud, a user can store values in their stack, then anyone can configure a check that references those values by name (e.g., in an API request header). This was inspired by how GitHub handles secrets in CI actions. 

There are several benefits to this approach:

  • Sensitive values are stored securely and separately.
  • Multiple checks can reference the same secret.
  • You get easy credential rotation without touching individual checks.
  • There’s a full audit trail of which service accessed what and when.

Try it today

As we mentioned, secrets management is available now in public preview for all Grafana Cloud customers. Here’s how to get started:

  1. Access the feature: Log into your Grafana Cloud instance and navigate to Testing & synthetics > Synthetics > Config
  2. Create your first secret: Start with an API key or credential you’re currently using in Synthetic Monitoring
  3. Add the new secrets module to your check: import secrets from ‘k6/secrets’; 
  4. Update your checks: Replace hardcoded values with secret references using secrets.get('my-secret') syntax

You can see how the process works in the UI below. For more details, check out our documentation.

User creates a secret
User creates a secret
User references the secret from a scripted check
User references the secret from a scripted check

How we built this securely: the technical foundation

Building a secrets manager for Grafana Cloud required rethinking security from the ground up. Here’s how we designed it to protect your most sensitive data.

Encryption process

We encrypt secrets with envelope encryption so that they are protected at rest. Envelope encryption uses randomly generated data keys to encrypt secrets using an AES-GCM cipher, then encrypts those data keys with a root key before storing them. 

This obfuscates the data and spreads the decryption keys around, making successful attacks harder. Grafana Cloud supports envelope encryption using Key Management Services (KMS) in AWS, Google Cloud, and Microsoft Azure, as well as with Hashicorp Vault or a self-managed key. 

Simple visualization of envelope encryption
Simple visualization of envelope encryption

Our security principles

Encryption is just the beginning. We built secrets management in Grafana Cloud around core security principles that protect your data while making the system easier to use and manage.

Unified API and storage

In collaboration with our Application Security team, we designed a central secrets repository that maintains the highest security standards across all services. Services can use secrets without implementing their own envelope encryption or handling secret rotation and re-encryption. Secrets management in Grafana Cloud handles all of this automatically.

Metadata separation

Secret values are stored completely separately from metadata such as names and descriptions. This enables team collaboration and secret reuse without ever exposing sensitive data.

Secrets can only be decrypted by internal services

Users cannot access the sensitive payload. All services making decryption requests are rigorously vetted and validated for authenticity, permissions, and explicit access grants.

Adherence to encryption best practices

We continue to protect secrets with envelope encryption, including using popular third-party encryption services such as HashiCorp Vault and AWS Secrets Manager. Encryption keys are regularly rotated and all interactions are audited.

Observable

At Grafana Lab, it is a core part of our technical strategy to dogfood our own observability products. As such, secrets management in Grafana Cloud was instrumented for RED Method analysis using logs, traces, and metrics to detect any potential issues. 

Note: For more information on how we maintains high standards of data privacy and security, check out our security compliance page.

Going beyond Synthetic Monitoring

Synthetic Monitoring is just the beginning for secrets management in Grafana Cloud. We’re already working on exciting expansions.

  • Third-party secret stores: Connect your existing HashiCorp Vault, AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault to Grafana Cloud.
  • Data source credentials: Integrate data sources with secrets management in Grafana Cloud and reference secrets stored in your third‑party secret store.
  • Grafana Cloud k6 integration: Reference secrets directly in your k6 scripts without embedding credentials in code.

Building trust through security

At Grafana Labs, we understand that secrets are at the core of trust between us and our users. With secrets management in Grafana Cloud, we’re not just solving today’s credential management challenges—we’re building the foundation for secure, scalable secrets management that will grow with your observability needs.

This represents a significant investment in security infrastructure that will enable new capabilities across the entire Grafana ecosystem. From Synthetic Monitoring to data sources to future integrations we haven’t even imagined yet, you’ll have a secure, auditable way to manage the credentials that power your observability stack.

Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!

Tags

Grafana Cloud

On this page
Scroll for more

Related content