Grafana - LDAP on AWS Fargate

Hi Guys,

I am actually using Grafana deployed on AWS fargate.
The common configuration variables I do push by AWS System Manager which does work fine.

As of this I now attempt to enable LDAP, which is no issue on the main configuration file, but I struggle to get the variables properly interpolated for the toml config file. Actually I struggle already with the Server IP as a starting point.

E.g. GF_AUTH_LDAP_SERVERS_0_HOST doesn’t seem to do anything, my logs indicate that it doesn’t get written(connecting to 127.0.0.1:389).

The LDAP support page notes:

bind_password = "${LDAP_ADMIN_PASSWORD}"

however thats the only variable clearly named and imho doesn’t fit in the naming scheme of variables.

Any hints if I missed an point on the documentation would be appreciated.

BR
faddi

1 Like

HI Faddi ,

Did you the solution for the post ? , Even i tried it didnt work . posted in other pages no proper documentation is found . Please if you find one can you please fwd the same to me ?

Regards
Kamalnadh S

Hey Kamalnadh,

I didn’t found a working configuration for this which did work with variables directly.

Instead I created an EFS and placed the ldap.toml in there, mounted it on the Task definition and adjusted the file path for the GF_AUTH_LDAP_CONFIG_FILE to point to the mounted EFS containing the ldap.toml.

Hope this help.

Cheers,
faddi

Hi Faddi

Thank you for the quick response, Looks better idea keep configurations in EFS and attach those volumes. Its been a week I was googling not even find one best example for bind password environment variable.
If you don’t mine can I get a sample TAsk def file, i will try this way.

Yeah, Google wasn’t much helpful in my case to :wink:

Despite, you have an EFS already handy, mounted to an EC2 or similar and created the toml file.

An full task definition would look like this:

{
“ipcMode”: null,
“executionRoleArn”: “xxxxx”,
“containerDefinitions”: [
{
“dnsSearchDomains”: null,
“environmentFiles”: null,
“logConfiguration”: {
“logDriver”: “awslogs”,
“secretOptions”: null,
“options”: {
“awslogs-group”: “grafana”,
“awslogs-region”: “xxx”,
“awslogs-stream-prefix”: “grafana”
}
},
“entryPoint”: null,
“portMappings”: [
{
“hostPort”: 3000,
“protocol”: “tcp”,
“containerPort”: 3000
}
],
“command”: [
“df -h”
],
“linuxParameters”: null,
“cpu”: 0,
“environment”: [],
“resourceRequirements”: null,
“ulimits”: null,
“dnsServers”: null,
“mountPoints”: [
{
“readOnly”: true,
“containerPath”: “/mount/efs”,
“sourceVolume”: “efs”
}
],
“workingDirectory”: null,
“secrets”: null,
“dockerSecurityOptions”: null,
“memory”: null,
“memoryReservation”: null,
“volumesFrom”: [],
“stopTimeout”: null,
“image”: “xxx”,
“startTimeout”: null,
“firelensConfiguration”: null,
“dependsOn”: null,
“disableNetworking”: null,
“interactive”: null,
“healthCheck”: null,
“essential”: true,
“links”: null,
“hostname”: null,
“extraHosts”: null,
“pseudoTerminal”: null,
“user”: null,
“readonlyRootFilesystem”: null,
“dockerLabels”: null,
“systemControls”: null,
“privileged”: null,
“name”: “grafana”
}
],
“placementConstraints”: [],
“memory”: “2048”,
“taskRoleArn”: “xxxx”,
“compatibilities”: [
“EC2”,
“FARGATE”
],
“taskDefinitionArn”: “xxxx”,
“family”: “grafana_task_definition”,
“requiresAttributes”: [
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “com.amazonaws.ecs.capability.logging-driver.awslogs”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “ecs.capability.execution-role-awslogs”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “ecs.capability.efsAuth”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “com.amazonaws.ecs.capability.docker-remote-api.1.19”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “ecs.capability.efs”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “com.amazonaws.ecs.capability.task-iam-role”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “com.amazonaws.ecs.capability.docker-remote-api.1.25”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “com.amazonaws.ecs.capability.docker-remote-api.1.18”
},
{
“targetId”: null,
“targetType”: null,
“value”: null,
“name”: “ecs.capability.task-eni”
}
],
“pidMode”: null,
“requiresCompatibilities”: [
“FARGATE”
],
“networkMode”: “awsvpc”,
“cpu”: “1024”,
“revision”: 38,
“status”: “ACTIVE”,
“inferenceAccelerators”: null,
“proxyConfiguration”: null,
“volumes”: [
{
“efsVolumeConfiguration”: {
“transitEncryptionPort”: null,
“fileSystemId”: “fs-xxxxxx”,
“authorizationConfig”: {
“iam”: “DISABLED”,
“accessPointId”: “fsap-xxxxxxxx”
},
“transitEncryption”: “ENABLED”,
“rootDirectory”: “/”
},
“name”: “efs”,
“host”: null,
“dockerVolumeConfiguration”: null
}
]
}

The File System IOD and access point ID you’d get from your EFS config.

1 Like

Thanks much Faddi ,
I will try this… :slight_smile:

1 Like

Hi Faddi ,

Finally Got solution for the ENV issue .Below is my Docker file looks like
ARG BASE_IMAGE=alpine:3.12
FROM ${BASE_IMAGE}

ENV LDAP_ADMIN_PASSWORD=
ENV DOMAIN_NAME=
ENV AWS_ACCESS_KEY_ID=
ENV AWS_SECRET_ACCESS_KEY=
ENV AWS_DEFAULT_REGION=

ARG GRAFANA_TGZ=“grafana-6.5.3.linux-amd64.tar.gz”

And in run.sh file added the below lines for change

#configuring the Ldap settings for grafana”
bind_password="$LDAP_ADMIN_PASSWORD"
hostname="$DOMAIN_NAME"
sed -i “s/127.0.0.1/$hostname/” /etc/grafana/ldap.toml
sed -i “s/secret/$bind_password/” /etc/grafana/ldap.toml

It worked perfectly .when ever we run docker run or deploy in ecs fargte need to pass the required ENV variables … that mentioned in Docker file.

1 Like