Commit 8e7a88fa by Labesse Kévin Committed by GitHub

Imagestore: Fallback to application default credentials when no key file is…

Imagestore: Fallback to application default credentials when no key file is specified for GCS (#25948)

The external image storage for GCS creates the JWT Token from a credentials file, 
but if your Grafana server runs under a GCE instance with a service account on it, 
you can use that instead (you don't have to manage/secure the credentials file).

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
parent 44dff6fd
...@@ -1179,7 +1179,7 @@ Optional URL to send to users in notifications. If the string contains the seque ...@@ -1179,7 +1179,7 @@ Optional URL to send to users in notifications. If the string contains the seque
### key_file ### key_file
Path to JSON key file associated with a Google service account to authenticate and authorize. Optional path to JSON key file associated with a Google service account to authenticate and authorize. If no value is provided it tries to use the [application default credentials](https://cloud.google.com/docs/authentication/production#finding_credentials_automatically).
Service Account keys can be created and downloaded from https://console.developers.google.com/permissions/serviceaccounts. Service Account keys can be created and downloaded from https://console.developers.google.com/permissions/serviceaccounts.
Service Account should have "Storage Object Writer" role. The access control model of the bucket needs to be "Set object-level and bucket-level permissions". Grafana itself will make the images public readable. Service Account should have "Storage Object Writer" role. The access control model of the bucket needs to be "Set object-level and bucket-level permissions". Grafana itself will make the images public readable.
......
...@@ -43,20 +43,31 @@ func (u *GCSUploader) Upload(ctx context.Context, imageDiskPath string) (string, ...@@ -43,20 +43,31 @@ func (u *GCSUploader) Upload(ctx context.Context, imageDiskPath string) (string,
fileName += pngExt fileName += pngExt
key := path.Join(u.path, fileName) key := path.Join(u.path, fileName)
u.log.Debug("Opening key file ", u.keyFile) var client *http.Client
data, err := ioutil.ReadFile(u.keyFile)
if err != nil { if u.keyFile != "" {
return "", err u.log.Debug("Opening key file ", u.keyFile)
} data, err := ioutil.ReadFile(u.keyFile)
if err != nil {
u.log.Debug("Creating JWT conf") return "", err
conf, err := google.JWTConfigFromJSON(data, tokenUrl) }
if err != nil {
return "", err u.log.Debug("Creating JWT conf")
conf, err := google.JWTConfigFromJSON(data, tokenUrl)
if err != nil {
return "", err
}
u.log.Debug("Creating HTTP client")
client = conf.Client(ctx)
} else {
u.log.Debug("Key file is empty, trying to use application default credentials")
client, err = google.DefaultClient(ctx)
if err != nil {
return "", err
}
} }
u.log.Debug("Creating HTTP client")
client := conf.Client(ctx)
err = u.uploadFile(client, imageDiskPath, key) err = u.uploadFile(client, imageDiskPath, key)
if err != nil { if err != nil {
return "", err return "", err
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment