Grafana API authentication

I am planning to create a web-facing Grafana deployment where users sign in via SSO (with the default user/password login form disabled).

However, since I have a set of basic dashboards that need to be templated and deployed to multiple organizations, I need to be able to automate dashboard creation using the Grafana API. I also need to be able to automate other tasks, such as creating users and assigning them to a given list of organizations. This means I need to have basic authentication enabled.

Since this is web-facing (with no IP whitelist), I would prefer to have only SSO enabled and basic authentication disabled, but disabling basic authentication would mean that I can’t use Grafana’s API to manage all the automation.

Is there any way to avoid having to enable basic authentication or any way to make this more secure?

Why you can’t use Grafana API with disabled basic auth?
Can you use API key or OIDC SSO client credential flow?

Thank you for the reply. The problem is that, for automation purposes, I’m using some API calls that don’t work with API keys, and require basic auth, according to the documentation. For example:

GET /api/orgs - for getting a list of all organizations.
POST /api/orgs - for creating organizations.
GET /api/users - for getting a list of all global users.
GET /api/users/:id/orgs - for getting a list of orgs that a user belongs to.

Is there any way to work with these APIs from an automation script without enabling basic auth?

I’m not sure if it’s possible to access these endpoints with OIDC SSO client credentials flow - is there any example on how this could be done?

Thank you.

You are right. IMHO it isn’t possible. You can do preconfiguration, where you enable and postconfiguration, where you disable basic auth.