Assign user to organisation based on JMESPath expression


I currently have Grafana setup running in a container (latest grafana/grafana image) with users logging in via OAuth from AWS Cognitio.

I can assign users to be Grafana or Server Admin roles by adding them to cognito groups and configuring the GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH environment variable with a JMESPath expression. This is working perfectly.

I now need to setup different Grafana Organisations and would like to assign users to organisations using the same approach: adding users to Cognito groups, and then using a JMESPath expression to assign them to the organisation.

Is this possible? If not, is there a different approach I can take to control my users membership to organisations via Cognito groups?


1 Like

Thanks for the link.

If I understand correctly the PR referenced in the linked post was never merged. The solution used in the above post was to use a Grafana Enterprise feature?

Unfortunately I’m not a Grafana Enterprise customer. Is there no way to achieve this with the open source version of Grafana?


I would say that is enterprise feature, so you enteprise version is the right one for this use case.
Of course, nobody is stopping you to create own code/implementation for Grafana OSS - but will it be worth it? :person_shrugging:

Yeah it’s not worth maintaining a fork for just my own needs, even if the above linked PR was still mergeable with minimal effort (seems unlikely).

I did notice that it’s possible to assign teams via JMESPath with the auth.generic_oauth config vars:


Originally I wanted to isolate my datasources and dashboards based on organisations, but based on reading the differences between teams and organisations, it seems I can achieve this isolation using teams instead?

Assuming this is the case, I should be able to use the two above config variables to assign teams using a JMESPath expression based on the cognito:groups field passed from cognito?

I’m struggling to find a working example of this though. Specifically I’m struggling to understand the difference between the two variables and how they work together.

Are there any working examples of a config that uses these two variables (not specifically with cognito)?