---
title: "Secrets and variables | Grafana Labs"
description: "Securely configuring authentication for CI/CD"
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

## What you need

Your pipeline must authenticate to Grafana without exposing credentials in code. GitHub Actions provides two mechanisms: secrets for sensitive values and variables for non-sensitive configuration. You need three values: one secret and two variables.

| Value                  | What it is                                                              | Type     | Where to store           |
|------------------------|-------------------------------------------------------------------------|----------|--------------------------|
| **GRAFANA\_TOKEN**     | Service account token that authenticates the pipeline to Grafana        | Secret   | **Repository secrets**   |
| **GRAFANA\_SERVER**    | Your Grafana instance URL, for example `https://your-stack.grafana.net` | Variable | **Repository variables** |
| **GRAFANA\_STACK\_ID** | Your Grafana stack identifier                                           | Variable | **Repository variables** |

## Add and reference your credentials

Store the three values in your repository, then reference them from your workflow.

1. In your repository, go to **Settings** &gt; **Secrets and variables** &gt; **Actions**.
2. On **Repository secrets**, add `GRAFANA_TOKEN` with your service account token. Never commit this token to your repository.
3. On **Repository variables**, add `GRAFANA_SERVER` and `GRAFANA_STACK_ID`.
4. Reference the secret with the `secrets` context and the variables with the `vars` context.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
env:
  GRAFANA_SERVER: ${{ vars.GRAFANA_SERVER }}
  GRAFANA_STACK_ID: ${{ vars.GRAFANA_STACK_ID }}
  GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
```

## Authenticate Terraform

Pass authentication to the Terraform provider through environment variables or directly in the provider block. Set `TF_VAR_grafana_url` and `TF_VAR_grafana_token` as environment variables, and Terraform picks them up automatically. The environment variable approach keeps your Terraform code portable: the same configuration works locally and in CI.

hcl ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```hcl
provider "grafana" {
  url  = var.grafana_url
  auth = var.grafana_token
}
```