Service accounts

    A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to:

    • Schedule reports for specific dashboards to be delivered on a daily/weekly/monthly basis
    • Define alerts in your system to be used in Grafana
    • Set up an external SAML authentication provider
    • Interact with Grafana without signing in as a user

    In Grafana Enterprise, you can also use service accounts in combination with to grant very specific permissions to applications that interact with Grafana.

    Note: Service accounts can only act in the organization they are created for. If you have the same task that is needed for multiple organizations, we recommend creating service accounts in each organization.

    A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafana’s HTTP API.

    You can create multiple tokens for the same service account. You might want to do this if:

    • multiple applications use the same permissions, but you would like to audit or manage their actions separately.

    Service account access tokens inherit permissions from the service account.

    Service account benefits

    The added benefits of service accounts to API keys include:

    • Service accounts resemble Grafana users and can be enabled/disabled, granted specific permissions, and remain active until they are deleted or disabled. API keys are only valid until their expiry date.
    • Service accounts can be associated with multiple tokens.
    • Unlike API keys, service account tokens are not associated with a specific user, which means that applications can be authenticated even if a Grafana user is deleted.
    • You can grant granular permissions to service accounts by leveraging role-based access control. For more information about permissions, refer to .

    A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. For more information about how you can use service accounts, refer to .

    For more information about creating service accounts via the API, refer to Create a service account in the HTTP API.

    • Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to About users and permissions.

    To create a service account

    1. Sign in to Grafana and hover your cursor over the Configuration (cog) icon in the sidebar.
    2. Click Service accounts.
    3. Click New service account.
    4. Enter a Display name.
    5. The display name must be unique as it determines the ID associated with the service account.
      • We recommend that you use a consistent naming convention when you name service accounts. A consistent naming convention can help you scale and maintain service accounts in the future.
      • You can change the display name at any time.
    6. Click Create service account.

    Add a token to a service account in Grafana

    A service account token is a generated random string that acts as an alternative to a password when authenticating with Grafana’s HTTP API. For more information about service accounts, refer to .

    You can create a service account token using the Grafana UI or via the API. For more information about creating a service account token via the API, refer to Create service account tokens using the HTTP API.

    Before you begin

    • Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to About users and permissions.
    1. Sign in to Grafana, then hover your cursor over Configuration (the gear icon) in the sidebar.
    2. Click Service accounts.
    3. Click the service account to which you want to add a token.
    4. Click Add token.
    5. Enter a name for the token.
    6. (recommended) Enter an expiry date and expiry date for the token or leave it on no expiry date option.
      • The expiry date specifies how long you want the key to be valid.
    7. Click Generate service account token.

    You can assign roles to a Grafana service account to control access for the associated service account tokens. You can assign roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to .

    In Grafana Enterprise, you can also to grant very specific permissions to applications that interact with Grafana.

    Before you begin

    • Ensure you have permission to update service accounts roles. By default, the organization administrator role is required to update service accounts permissions. For more information about user permissions, refer to .

    To assign a role to a service account

    1. Sign in to Grafana, then hover your cursor over Configuration (the gear icon) in the sidebar.
    2. Click Service accounts.
    3. Click the service account to which you want to assign a role. As an alternative, find the service account in the list view.
    4. Assign a role using the role picker.
    5. Click Update.

    Manage users and teams permissions for a service account in Grafana

    To control what and who can do with the service account you can assign permissions directly to users and teams. You can assign permissions using the Grafana UI.

    • Ensure you have permission to update user and team permissions of a service accounts. By default, the organization administrator role is required to update user and teams permissions for a service account. For more information about user permissions, refer to .
    • Ensure you have permission to read teams.

    User and team permissions for a service account

    1. Edit: A user or a team with this permission can view, edit, enable and disable a service account, and add or delete service account tokens.
    2. Admin: User or a team with this permission will be able to everything from Edit permission, as well as manage user and team permissions for a service account.

    To update team permissions for a service account

    1. Sign in to Grafana, then hover your cursor over Configuration (the gear icon) in the sidebar.
    2. Click Service accounts.
    3. Click the service account for which you want to update team permissions a role.
    4. In the Permissions section at the bottom, click Add permission.
    5. Choose Team in the dropdown and select your desired team.
    6. Choose View, Edit or Admin role in the dropdown and click Save.
    1. Sign in to Grafana, then hover your cursor over Configuration (the gear icon) in the sidebar.
    2. Click Service accounts.
    3. Click the service account for which you want to update team permissions a role.
    4. In the Permissions section at the bottom, click Add permission.
    5. Choose View, Edit or Admin role in the dropdown and click Save.