Merge pull request #140 from grafana/use-sas-through-cloud-provider

Service accounts: use temp Grafana service account instead of API key

Author: IevaVasiljeva

client.go

@@ -26,7 +26,7 @@ type Client struct {
 
 // Config contains client configuration.
 type Config struct {
-	// APIKey is an optional API key.
+	// APIKey is an optional API key or service account token.
 	APIKey string
 	// BasicAuth is optional basic auth credentials.
 	BasicAuth *url.Userinfo
@@ -36,7 +36,7 @@ type Config struct {
 	Client *http.Client
 	// OrgID provides an optional organization ID
 	// with BasicAuth, it defaults to last used org
-	// with APIKey, it is disallowed because API keys are scoped to a single org
+	// with APIKey, it is disallowed because service account tokens are scoped to a single org
 	OrgID int64
 	// NumRetries contains the number of attempted retries
 	NumRetries int

cloud_grafana_api_key.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"time"
 )
 
 // This function creates a API key inside the Grafana instance running in stack `stack`. It's used in order
@@ -21,37 +20,3 @@ func (c *Client) CreateGrafanaAPIKeyFromCloud(stack string, input *CreateAPIKeyR
 	err = c.request("POST", fmt.Sprintf("/api/instances/%s/api/auth/keys", stack), nil, bytes.NewBuffer(data), resp)
 	return resp, err
 }
-
-// The Grafana Cloud API is disconnected from the Grafana API on the stacks unfortunately. That's why we can't use
-// the Grafana Cloud API key to fully manage API keys on the Grafana API. The only thing we can do is to create
-// a temporary Admin key, and create a Grafana API client with that.
-func (c *Client) CreateTemporaryStackGrafanaClient(stackSlug, tempKeyPrefix string, tempKeyDuration time.Duration) (tempClient *Client, cleanup func() error, err error) {
-	stack, err := c.StackBySlug(stackSlug)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	name := fmt.Sprintf("%s-%d", tempKeyPrefix, time.Now().UnixNano())
-	req := &CreateAPIKeyRequest{
-		Name:          name,
-		Role:          "Admin",
-		SecondsToLive: int64(tempKeyDuration.Seconds()),
-	}
-
-	apiKey, err := c.CreateGrafanaAPIKeyFromCloud(stackSlug, req)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	client, err := New(stack.URL, Config{APIKey: apiKey.Key})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	cleanup = func() error {
-		_, err = client.DeleteAPIKey(apiKey.ID)
-		return err
-	}
-
-	return client, cleanup, nil
-}

cloud_grafana_service_account.go

@@ -0,0 +1,80 @@
+package gapi
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+)
+
+// This function creates a service account inside the Grafana instance running in stack `stack`. It's used in order
+// to provision service accounts inside Grafana while just having access to a Grafana Cloud API key.
+func (c *Client) CreateGrafanaServiceAccountFromCloud(stack string, input *CreateServiceAccountRequest) (*ServiceAccountDTO, error) {
+	data, err := json.Marshal(input)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &ServiceAccountDTO{}
+	err = c.request(http.MethodPost, fmt.Sprintf("/api/instances/%s/api/serviceaccounts", stack), nil, bytes.NewBuffer(data), resp)
+	return resp, err
+}
+
+// This function creates a service account token inside the Grafana instance running in stack `stack`. It's used in order
+// to provision service accounts inside Grafana while just having access to a Grafana Cloud API key.
+func (c *Client) CreateGrafanaServiceAccountTokenFromCloud(stack string, input *CreateServiceAccountTokenRequest) (*CreateServiceAccountTokenResponse, error) {
+	data, err := json.Marshal(input)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := &CreateServiceAccountTokenResponse{}
+	err = c.request(http.MethodPost, fmt.Sprintf("/api/instances/%s/api/serviceaccounts/%d/tokens", stack, input.ServiceAccountID), nil, bytes.NewBuffer(data), resp)
+	return resp, err
+}
+
+// The Grafana Cloud API is disconnected from the Grafana API on the stacks unfortunately. That's why we can't use
+// the Grafana Cloud API key to fully manage service accounts on the Grafana API. The only thing we can do is to create
+// a temporary Admin service account, and create a Grafana API client with that.
+func (c *Client) CreateTemporaryStackGrafanaClient(stackSlug, tempSaPrefix string, tempKeyDuration time.Duration) (tempClient *Client, cleanup func() error, err error) {
+	stack, err := c.StackBySlug(stackSlug)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	name := fmt.Sprintf("%s%d", tempSaPrefix, time.Now().UnixNano())
+
+	req := &CreateServiceAccountRequest{
+		Name: name,
+		Role: "Admin",
+	}
+
+	sa, err := c.CreateGrafanaServiceAccountFromCloud(stackSlug, req)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	tokenRequest := &CreateServiceAccountTokenRequest{
+		Name:             name,
+		ServiceAccountID: sa.ID,
+		SecondsToLive:    int64(tempKeyDuration.Seconds()),
+	}
+
+	token, err := c.CreateGrafanaServiceAccountTokenFromCloud(stackSlug, tokenRequest)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	client, err := New(stack.URL, Config{APIKey: token.Key})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cleanup = func() error {
+		_, err = client.DeleteServiceAccount(sa.ID)
+		return err
+	}
+
+	return client, cleanup, nil
+}