Grafana OSS 12.2.0: 403 Permission Error When Using Service Account Token to Call Alert API

Grafana Alerting
,
1

  • Hello everyone, I’m encountering an issue with Grafana and would appreciate your help. Here’s the relevant information:

    1. What Grafana version and operating system are you using?
      Grafana OSS 12.2.0, Docker

    2. What are you trying to achieve?
      I want to use a service account token to create alert rules via API

    3. How are you trying to achieve it?
      I’m sending a POST request to /api/alerting-provisioning/rules with a JSON body, using the service account’s Bearer token

    4. What happened?
      The response was Error: status: 403, body: {“accessErrorId”:“ACE5486629262”,“message”:“You’ll need additional permissions to perform this action. Permissions needed: alert.provisioning:write”,“title”:“Access denied”}

    5. What did you expect to happen?
      I expected the alert rule to be created successfully

    6. Can you copy/paste the configuration(s) that you are having problems with?
      docker run -d -p 3000:3000 --name=grafana
      -e “GF_SECURITY_ALLOW_EMBEDDING=true”
      -e “GF_DATABASE_TYPE=postgres”
      -e “GF_DATABASE_HOST=myDB:5432”
      -e “GF_DATABASE_NAME=grafana”
      -e “GF_DATABASE_USER=mysuer”
      -e “GF_DATABASE_PASSWORD=mypassword”
      -e “GF_DATABASE_SSL_MODE=verify-full”
      -e “GF_AUTH_ANONYMOUS_ENABLED=true”
      grafana/grafana:latest

    7. Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
      The response was Error: status: 403, body: {“accessErrorId”:“ACE5486629262”,“message”:“You’ll need additional permissions to perform this action. Permissions needed: alert.provisioning:write”,“title”:“Access denied”}

    8. Did you follow any online instructions? If so, what is the URL?
      Grafana Doc

I have tried to set up the service account token directly via the Swagger interface, but I still get the same error. However, using the Grafana UI I can successfully create alerts.
May I ask if there is any additional configuration I need to enable? Or is the API for creating alerts not supported in OSS Grafana?

I’ve ensured that the service account has been assigned the “Editor” or “Admin” role, which should grant the necessary permissions to create alerts.

Thanks in advance for any help!

2

Welcome to the community forum @arvin8611 !

Try to POST your request to /api/v1/provisioning/alert-rules instead of api/alerting-provisioning/rule

Docs:

3

Hi Antonio, thank you for your response. Sorry, the API endpoint I mentioned earlier was a typo. I did make the request to the correct one: /api/v1/provisioning/alert-rules, but I’m still getting the same error. Do you know why this might be happening?

4

If I create a service account token with admin permission, and I use it as bearer token, I can successfully send a POST request to

localhost:3000/api/v1/provisioning/alert-rules

Are you using the right base URL ? If Grafana is running locally, you probably use a localhost address. Since you are using docker, make sure you are appropriate container network address. E.g http://grafana:3000

image
image774×778 45.4 KB

Here is the body JSON if you want to give it a go. Just replace the folderUID with an actual UID within your instance.

{
        "id": 9999,
        "uid": "",
        "orgID": 1,
        "folderUID": "ddoqgpkduox6oa",
        "ruleGroup": "alerting",
        "title": "no",
        "condition": "B",
        "data": [
            {
                "refId": "A",
                "queryType": "",
                "relativeTimeRange": {
                    "from": 600,
                    "to": 0
                },
                "datasourceUid": "mnOkAJt4k",
                "model": {
                    "hide": false,
                    "intervalMs": 1000,
                    "maxDataPoints": 43200,
                    "refId": "A"
                }
            },
            {
                "refId": "B",
                "queryType": "",
                "relativeTimeRange": {
                    "from": 600,
                    "to": 0
                },
                "datasourceUid": "-100",
                "model": {
                    "conditions": [
                        {
                            "evaluator": {
                                "params": [
                                    3
                                ],
                                "type": "gt"
                            },
                            "operator": {
                                "type": "and"
                            },
                            "query": {
                                "params": [
                                    "A"
                                ]
                            },
                            "reducer": {
                                "params": [],
                                "type": "last"
                            },
                            "type": "query"
                        }
                    ],
                    "datasource": {
                        "type": "__expr__",
                        "uid": "-100"
                    },
                    "expression": "A",
                    "hide": false,
                    "intervalMs": 1000,
                    "maxDataPoints": 43200,
                    "reducer": "mean",
                    "refId": "B",
                    "type": "reduce"
                }
            }
        ],
        "updated": "2024-01-15T15:28:48+01:00",
        "noDataState": "NoData",
        "execErrState": "Error",
        "for": "5m",
        "keep_firing_for": "0s",
        "provenance": "api",
        "isPaused": false,
        "notification_settings": null,
        "record": null
    }
6

thank you for your help. I just tried using Postman and found that it works to create successfully. So I suspect the issue might be with the cross-origin part of my code. Thanks again for your assistance!:folded_hands:

1 Like