Authenticate securely with Workload Identity Federation for BigQuery and GCM data sources
Storing a service account JSON key file to connect Grafana Cloud to Google Cloud is a persistent security liability. Keys get embedded in config files, shared across teams, or quietly forgotten — all while remaining valid for years. When one leaks, there’s no automatic expiry and no limited blast radius.
The BigQuery and Google Cloud Monitoring data source plugins support Google Cloud Workload Identity Federation (WIF) as an authentication method on Grafana Cloud. Instead of uploading a key file, Grafana Cloud exchanges the signed-in user’s OIDC token for a short-lived Google Cloud access token via the Security Token Service. Credentials are scoped to the active session and expire automatically — no keys to store, rotate, or accidentally expose.
To set it up, configure a Workload Identity Pool and Provider in Google Cloud that trusts your OIDC identity provider, then grant BigQuery or Monitoring Viewer permissions to the WIF principal. In the data source settings, select Workload Identity Federation as the authentication type and enter your provider’s full resource path (projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>). Service account impersonation is also supported for finer-grained access control.
One important detail: because credentials are tied to a signed-in user session, features that run without a user present — alerting, scheduled reports, and public dashboards — aren’t supported with this authentication method. For those use cases, continue using a service account key.
Refer to the BigQuery plugin documentation and the Google Cloud Monitoring authentication documentation for full setup instructions.