Documentation Grafana Cloud Security and account management Authentication and authorization

Configure authentication and authorization

You can configure various methods to allow users to access your Grafana Cloud instance. To authorize requests to Grafana Cloud resources that do not involve users you can use Grafana Cloud Access Policies.

User authentication

Grafana Cloud uses OAuth 2.0 with Grafana.com as the default authentication provider. Additional authentication and authorization methods, such as LDAP, SAML, and OAuth, can also be configured for your Grafana Cloud instance. For detailed guidance, refer to the Grafana documentation on authentication.

User authorization

Understand Grafana Cloud authentication layers

Grafana Cloud has two authentication layers that work together by default but can be separated for larger organizations.

Default model: Cloud Portal as the identity provider

By default, the Cloud Portal (grafana.com) acts as the identity provider for your stacks:

• Users authenticate to grafana.com
• They automatically have access to all stacks in your organization
• Their Cloud Portal role (Admin, Editor, Viewer) is inherited by every stack
• Works well for: Small teams (<20 users) with simple access needs

Cloud Portal authentication options:

• Username/password (basic auth)
• Social login (Google, GitHub, Microsoft, Amazon)
• SAML SSO (Private Preview)

Layered model: Separate Cloud Portal and Stack authentication

For larger organizations, you can separate these authentication layers:

• Cloud Portal: Small group of platform admins manage billing, stacks, cloud settings
• Stack-level: Engineers authenticate directly to stacks (your-org.grafana.net), never access grafana.com

In this model, Cloud Portal access does not automatically grant stack access. You must explicitly add users to each stack.

Works well for: Larger teams (50+ users), enterprises with governance requirements

Stack authentication options: Stack-level authentication supports multiple authentication methods including SAML, OAuth, OIDC, LDAP, and SCIM provisioning.

Feature availability by layer

Configuring user roles

You can configure user roles either through the Cloud Portal or directly within your Grafana instance:

• Using the Grafana Cloud Portal: Roles configured in the Grafana Cloud Portal will automatically propagate to your Grafana instances (default model). To learn more about the specific capabilities assigned to each role, see User account roles and permissions.
• Directly in your Grafana instance: Configure roles within a specific Grafana instance using role-based access control.

Service accounts vs Cloud Access Policies

Both service accounts and Cloud Access Policies provide machine-to-machine authentication, but they serve different purposes and access different APIs.

When to use:

• Service accounts: Automating Grafana UI tasks (creating dashboards, managing users, configuring data sources)
• Cloud Access Policies: Sending or querying telemetry data (metrics, logs, traces), or managing stacks via Cloud API

For more information, refer to:

• Service accounts documentation
• Grafana Cloud Access Policies

Authorize a service using access policies

You can use Grafana Cloud Access Policies and tokens to authorize requests to Grafana Cloud resources that do not involve users.

• Grafana Cloud Access Policies
• Authorize your service with access policies and tokens
• Use label-based access controls with access policies