Slide 3 of 4

Secrets and variables

What you need

Your pipeline must authenticate to Grafana without exposing credentials in code. GitHub Actions provides two mechanisms: secrets for sensitive values and variables for non-sensitive configuration. You need three values: one secret and two variables.

ValueWhat it isTypeWhere to store
GRAFANA_TOKENService account token that authenticates the pipeline to GrafanaSecretRepository secrets
GRAFANA_SERVERYour Grafana instance URL, for example https://your-stack.grafana.netVariableRepository variables
GRAFANA_STACK_IDYour Grafana stack identifierVariableRepository variables

Add and reference your credentials

Store the three values in your repository, then reference them from your workflow.

  1. In your repository, go to Settings > Secrets and variables > Actions.
  2. On Repository secrets, add GRAFANA_TOKEN with your service account token. Never commit this token to your repository.
  3. On Repository variables, add GRAFANA_SERVER and GRAFANA_STACK_ID.
  4. Reference the secret with the secrets context and the variables with the vars context.
YAML 
env:
  GRAFANA_SERVER: ${{ vars.GRAFANA_SERVER }}
  GRAFANA_STACK_ID: ${{ vars.GRAFANA_STACK_ID }}
  GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}

Authenticate Terraform

Pass authentication to the Terraform provider through environment variables or directly in the provider block. Set TF_VAR_grafana_url and TF_VAR_grafana_token as environment variables, and Terraform picks them up automatically. The environment variable approach keeps your Terraform code portable: the same configuration works locally and in CI.

hcl 
provider "grafana" {
  url  = var.grafana_url
  auth = var.grafana_token
}

Script

Your pipeline needs to authenticate to Grafana without exposing credentials in code. GitHub Actions provides two mechanisms: secrets for sensitive values and variables for non-sensitive configuration.

You’ll need three values. GRAFANA_TOKEN is a service account token. This is the only secret. Store it in your repository’s Settings under Secrets and Variables, Actions, then Repository Secrets. Never commit this to your repository.

GRAFANA_SERVER is your Grafana instance URL, something like https://your-stack.grafana.net. GRAFANA_STACK_ID is your stack identifier. Both are non-sensitive, so they go in Repository Variables.

In your workflow, reference secrets with the secrets context and variables with the vars context. Terraform reads them through environment variables or its variable system, depending on your configuration.

For the Terraform provider, you can pass authentication through environment variables or directly in the provider block using Terraform variables. The environment variable approach keeps your Terraform code portable. The same configuration works locally and in CI.

Previous Next