I need some help in Grafana with Keycloak.
I have set-up Grafana using official helm chart. I enabled OAuth using Keycloak described in official docs (see here).
Set-up is as:
realm: platform
realm (platform) has a client: grafana
realm_roles: ["admin", "editor", "viewer"]
groups: ["devops", "engineering", "data"]
users: ["alice", "bob", "eve"]
Mapping is as:
alice ==> engineering ==> editor
bob ==> devops ==> admin
eve ==> data ==> viewer
Accordingly, bob should be able to manage Grafana while alice should able to add/update dashboard. But, everyone is logged in as Viewer. Screenshots attached.
When I inspect the token I get what is needed:
Bob:
{
"exp": 1749739009,
"iat": 1749738709,
"jti": "onrtro:feebeca4-d099-41ae-8876-cdc8b11c9176",
"iss": "https://keycloak.local.io:32443/realms/platform",
"aud": [
"grafana"
],
"typ": "Bearer",
"azp": "grafana",
"sid": "e387e58a-f002-4611-83b7-45d90323353f",
"realm_access": {
"roles": [
"admin"
]
},
"resource_access": {
"grafana": {
"roles": [
"admin"
]
}
},
"scope": "groups profile email", ############# I think roles are not mentioned maybe that's why
"email_verified": false,
"name": "Bob Ops",
"groups": [
"devops"
],
"preferred_username": "bob",
"given_name": "Bob",
"family_name": "Ops",
"email": "bob@example.com"
}
Alice:
{
"exp": 1749739031,
"iat": 1749738731,
"jti": "onrtro:8edcba1f-a896-4df1-a78f-369eacb82977",
"iss": "https://keycloak.local.io:32443/realms/platform",
"aud": [
"grafana"
],
"typ": "Bearer",
"azp": "grafana",
"sid": "57d28d32-1e11-494c-b240-93d241640715",
"realm_access": {
"roles": [
"editor"
]
},
"resource_access": {
"grafana": {
"roles": [
"editor"
]
}
},
"scope": "groups profile email", ############# I think roles are not mentioned maybe that's why
"email_verified": false,
"name": "Alice Dev",
"groups": [
"engineering"
],
"preferred_username": "alice",
"given_name": "Alice",
"family_name": "Dev",
"email": "alice@example.com"
}
Bob in Grafana UI:
Alice in Grafana UI:
Any insights would be much appreciated. Thanks!