Best way to provision initial token for use with terraform provider

  • What Grafana version and what operating system are you using?

  • What are you trying to achieve?
    After deploying grafana, I’d like to provision dashboards/folders/alerts/etc. with the grafana terraform provider. To do this, I need an API token that needs to be created on the deployed instance first.

  • How are you trying to achieve it?
    If using basic auth, one could call the API with an admin user to do so, but I’m using the saml authentication and I can’t provision a “technical” admin user for this sole purpose. Currently I can only think of manually creating this initial token from an admin user account.

What would be the better way here? Is there a way to provision tokens from file for example? Something else?


Glad you asked, we have documentation here provisioning your grafana cloud instance using terraform.

You create an cloud_api_key in the grafana com console that is used to authenticate with the cloud provider. provider.first then you instantiate another provider which is used in combination with the cloud key to create your apikey in your grafana instance.

We are soon starting to deprecate API keys (they will still be able to be used) but if you want the way that we will support you can instead of creating a API key, create a service account and a service account token associated with that service account.

terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"

# Declaring the first provider to be only used for creating the cloud-stack
provider "grafana" {
  alias = "first"

 cloud_api_key = "<TOKEN>"

resource "grafana_cloud_stack" "eleijonmarck" {
  provider = grafana.first

  name        = ""
  slug        = "eleijonmarck"
  region_slug = "eu" # Example “us”,”eu” etc

# Creating an API key in Grafana instance to be used for creating resources in Grafana instance
resource "grafana_api_key" "cloud_api_key" {
  provider = grafana.first

  cloud_stack_slug = grafana_cloud_stack.eleijonmarck.slug
  name             = "cloud_api_key"
  role             = "Admin" 

# Declaring the second provider to be used for creating resources in Grafana        
provider "grafana" {
  alias = "second"

  url  = grafana_cloud_stack.eleijonmarck.url
  auth = grafana_api_key.cloud_api_key.key

# Creating a service account in Grafana instance to be used as auth
resource "grafana_service_account" "eleijonmarck_service_account" {
  provider = grafana.second

  name             = "eleijonmarck-sa"
  role             = "Admin"
  is_disabled = false

# Creating a service account token in Grafana instance to be used for creating resources in Grafana instance
resource "grafana_service_account_token" "eleijonmarck_service-account_token" {
  provider = grafana.second

  name               = "eleijonmarck-sa-token"
  service_account_id =

This is how I provision my grafana-cloud instance.

Hope this helps! :pray:

Thanks, that’s a really good answer for Grafana Cloud and I’m looking for the same for on premise/OSS.

I also imagine it works in a two step process like you describe but I can’t figure out how to provision the first API key (or service account) without having a user first.

Do you know of a way?