Grafana Cloud

Using an access policy token

The main uses for Cloud Access Policy tokens are:

  • To read data (metrics, logs, etc.) from a stack using a Grafana data source.
  • To write data (metrics, logs, etc.) to a stack using the Grafana agent.
  • To interact with the Grafana Cloud API.

To create an access policy and token, see these instructions: Create access policies and tokens.

Creating a data source with a Grafana Cloud token in Grafana UI

Follow these steps to create or configure a data source in Grafana using a Cloud Access Policy token:

  1. Copy the token: Start by copying the token associated with the service you are integrating (e.g., Loki, Prometheus, Tempo).
  2. Navigate to Connections: In Grafana, open the left-side menu and select Connections.
  3. Select or Add a Data Source: Use the filter to find the data source you want to add or update. When adding a new data source, Grafana will guide you to the configuration page for that source.
  4. Configure Authentication:
    • Go to the Settings tab for the data source.
    • In the Basic Auth section, enter the required credentials:
      • For services like Loki, use the log tenant ID as the User.
      • Enter the Grafana Cloud token as the Password.
  5. Save and Test: Click Save & Test to confirm the configuration. Grafana will verify the connection to ensure that it is correctly set up.

For further guidance and specific details, refer to the relevant integration documentation.

Note

You can see specific configuration instructions for creating data sources based on Grafana Cloud Prometheus, Loki, Graphite, Tempo, or Alert Manager by signing into your Grafana Cloud account, choosing a stack, and selecting the given service.

Creating a data source with a Grafana Cloud token using Terraform

You can provision a data source using a Terraform resource by providing a Cloud Access Policy token. Here is a sample Terraform configuration you can use as a base:

terraform
// Provision a Cloud Access Policy
resource "grafana_cloud_access_policy" "test" {
  provider      = grafana
  region        = "eu"
  name          = "terraform-test-policy-assets"
  display_name  = "Terraform Test Policy ASSETS"
  scopes        = ["metrics:read", "logs:read", "metrics:write", "logs:write"]

  realm {
    type       = "org"
    identifier = data.grafana_cloud_organization.current.id

    label_policy {
      selector = "{namespace=\"default\"}"
    }
  }
}

// Provision a Cloud Access Policy token
resource "grafana_cloud_access_policy_token" "test" {
  region           = "eu"
  access_policy_id = grafana_cloud_access_policy.test.policy_id
  name             = "my-policy-token"
  display_name     = "My Policy Token"
  expires_at       = "2024-01-01T00:00:00Z"
}

# Provision a datasource using the access policy token we just made
resource "grafana_data_source" "prometheus" {
  provider            = grafana
  type                = "prometheus"
  name                = "mimir"
  url                 = "https://prometheus-us-central1.grafana.net/api/prom"
  basic_auth_enabled  = true
  basic_auth_username = "740141"

  json_data_encoded = jsonencode({
    httpMethod        = "POST",
    tokenName         = "terraform-test-policy-assets",
    prometheusType    = "Mimir",
    prometheusVersion = "2.4.0"
  })

  secure_json_data_encoded = jsonencode({
    basicAuthPassword = grafana_cloud_access_policy_token.test.token
  })
}

Use the token to authenticate Grafana Cloud API requests

To use the Grafana Cloud API, authenticate requests with an access policy token. Include the token in the Authorization header for all requests:

http
GET https://grafana.com/api/instances/<STACK_SLUG>/plugins HTTP/1.1
Accept: application/json
Authorization: Bearer <CLOUD ACCESS POLICY TOKEN>

Requests to the Grafana Cloud API are authenticated using the Authorization header:

Bash
Authorization: Bearer <CLOUD ACCESS POLICY TOKEN>