User created by logging in with Google OAuth is not administrator

  • What Grafana version and what operating system are you using?
    Using Grafana in Google Kubernetes Engine via prometheus-stack
    Grafana image is

  • What are you trying to achieve?
    Configure Google Authentication so that when a specific user logs in and has their account created, they are an administrator.

  • How are you trying to achieve it?
    Following the document mentioned below (can only include 2 links), we have ended up with /etc/grafana/grafana.ini that I’ve pasted in the configuration block below. The specific lines relevant to this are

allow_assign_grafana_admin = true
role_attribute_path = email=='' && 'Admin' || 'Editor'

I’ve also tried with GrafanaAdmin instead of Admin in the above role_attribute_path

  • What happened?
    The user is logged in and created, but does not have administration privileges. If I login as an admin user, I see that Grafana Admin is set to No in the UI.

  • What did you expect to happen?
    I expected the user to be logged in and an account created as an administrator account.

  • Can you copy/paste the configuration(s) that you are having problems with?

reporting_enabled = false
check_for_updates = true
allow_assign_grafana_admin = true
allow_sign_up = true
allowed_domains =
allowed_groups =
auth_url =
enabled = true
role_attribute_path = email=='' && 'Admin' || 'Editor'
scopes =,
token_url =
min_refresh_interval = 60s
url =
mode = console
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
disable_gravatar = true
domain = ''
enable_gzip = true
root_url =
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

When logging in to create the account, the logs show the following:

logger=context userId=0 orgId=0 uname= t=2024-02-06T16:28:33.058758785Z level=info msg="Request Completed" method=GET path=/login/google status=302 remote_addr= time_ms=0 duration=899.93µs size=647 referer= handler=/login/:name
logger=context userId=0 orgId=0 uname= t=2024-02-06T16:28:39.997115469Z level=info msg="Request Completed" method=GET path=/login/google status=302 remote_addr= time_ms=653 duration=653.364239ms size=24 referer= handler=/login/:name
logger=context userId=7 orgId=1 t=2024-02-06T16:28:40.242985891Z level=info msg="Request Completed" method=GET path=/api/live/ws status=-1 remote_addr= time_ms=1 duration=1.566925ms size=0 referer= handler=/api/live/ws

In the UI, the user has the expected e-mail address that is used in the role mapping.

  • Did you follow any online instructions? If so, what is the URL?

Switching from an e-mail to a group solved this for us.

role_attribute_path: contains(groups[*], '') && 'Admin' || 'Viewer'