I have on AWS two Grafana EC2 instances back an ALB. Now I would configure access using AWS Cognito.
I'm trying to set grafana.ini as below:
[server]
protocol = http
#domain = grafana.mydomain.com
root_url = https://grafana.mydomain.com
serve_from_sub_path = true
[auth.generic_oauth]
enabled = true
allow_sign_up = true
auto_login = false
client_id = xxxxxxxxxxxxxxxxxxxxxxxxxxx
client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_pool_id = eu-west-1_xxxxxxxxx
auth_url = https://myapp.auth.eu-west-1.amazoncognito.com/auth2/authorize
token_url = https://myapp.auth.eu-west-1.amazoncognito.com/oauth2/token
region = eu-west-1
allow_sign_up = false
allowed_groups = "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-read", "arn:aws:cognito:eu-west-1:000000000000:userpool/eu-west-1_xxxxxxxx:group/grafana-admin"
role_attribute_path = contains(info.roles[*], 'grafana-admin') && 'Admin' || contains(info.roles[*], 'grafana-read') && 'Editor' || 'Viewer'
When I try to connect to ALB by browser on:
https://grafana.mydomain.com/generic_oauth/login I receive the error:
https://myapp.auth.eu-west-1.amazoncognito.com/error?error=redirect_mismatch&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxx
try this callback url
https://grafana.mydomain.com/login/generic_oauth
Instead of:
https://grafana.mydomain.com/generic_oauth/login
Also add auth_uri parameter to grafana.ini:
auth_url:https://{domain}.auth.${region}.amazoncognito.com/oauth2/authorize
Hope this would help you.