Hello,

I am trying to add the Prometheus data source to use Prometheus behind Google Cloud Identity-Aware Proxy (IAP). This means that every request sent to Prometheus needs to carry additional info to prove the identity. This can be done either by sending Authorization Bearer tokens in headers (server access) or by providing tokens from cookies (browser access). I decided to set up browser access and make Grafana use existing IAP-related cookies when sending requests to IAP-protected Prometheus, but I failed because it seems that Grafana JS requests don’t use cookies.

With the GCP Support help, I have found out that this might be the cause:

Once the session on target_domain is established, the developer needs to enable credentials to be sent in the request. By default, JavaScript methods don’t attach cookies to requests. To enable credentials in the request, requests sent with an XMLHttpRequest
object need the withCredentials property set to true, while requests sent with the Fetch API need the credentials option set to include or same-origin .

Is there an option to configure or workaround this?

Thanks in advance.

Regards,

Milan

I can’t find any examples of this but there are some options to not strip cookies from data source requests in Grafana. The Prometheus data source has these two options that might help:

• Allow Cookes option. The Grafana proxy deletes forwarded cookies by default. Specify cookies by name that should be forwarded to the data source.
• With Credentials option. Whether credentials such as cookies or auth headers should be sent with cross-site requests.