User created by logging in with Google OAuth is not administrator

  • What Grafana version and what operating system are you using?
    Using Grafana in Google Kubernetes Engine via prometheus-stack
    Grafana image is docker.io/grafana/grafana:10.3.1

  • What are you trying to achieve?
    Configure Google Authentication so that when a specific user logs in and has their account created, they are an administrator.

  • How are you trying to achieve it?
    Following the document mentioned below (can only include 2 links), we have ended up with /etc/grafana/grafana.ini that I’ve pasted in the configuration block below. The specific lines relevant to this are

allow_assign_grafana_admin = true
role_attribute_path = email=='me@mydomain.com' && 'Admin' || 'Editor'

I’ve also tried with GrafanaAdmin instead of Admin in the above role_attribute_path

  • What happened?
    The user is logged in and created, but does not have administration privileges. If I login as an admin user, I see that Grafana Admin is set to No in the UI.

  • What did you expect to happen?
    I expected the user to be logged in and an account created as an administrator account.

  • Can you copy/paste the configuration(s) that you are having problems with?

reporting_enabled = false
[analytics]
check_for_updates = true
[auth.google]
allow_assign_grafana_admin = true
allow_sign_up = true
allowed_domains = mydomain.com
allowed_groups = our.team@mydomain.com
auth_url = https://accounts.google.com/o/oauth2/auth
client_id = ${GOOGLE_OAUTH_CLIENT_ID}
client_secret = ${GOOGLE_OAUTH_CLIENT_SECRET}
enabled = true
role_attribute_path = email=='me@mydomain.com' && 'Admin' || 'Editor'
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-identity.groups.readonly
token_url = https://accounts.google.com/o/oauth2/token
[dashboards]
min_refresh_interval = 60s
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[security]
disable_gravatar = true
[server]
domain = ''
enable_gzip = true
root_url = https://grafana.mydomain.com
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

When logging in to create the account, the logs show the following:

logger=context userId=0 orgId=0 uname= t=2024-02-06T16:28:33.058758785Z level=info msg="Request Completed" method=GET path=/login/google status=302 remote_addr=147.12.244.38 time_ms=0 duration=899.93µs size=647 referer=https://grafana.mydomain.com/login handler=/login/:name
logger=context userId=0 orgId=0 uname= t=2024-02-06T16:28:39.997115469Z level=info msg="Request Completed" method=GET path=/login/google status=302 remote_addr=147.12.244.38 time_ms=653 duration=653.364239ms size=24 referer=https://accounts.google.com/ handler=/login/:name
logger=context userId=7 orgId=1 uname=me@mydomain.com t=2024-02-06T16:28:40.242985891Z level=info msg="Request Completed" method=GET path=/api/live/ws status=-1 remote_addr=147.12.244.38 time_ms=1 duration=1.566925ms size=0 referer= handler=/api/live/ws

In the UI, the user has the expected e-mail address that is used in the role mapping.

  • Did you follow any online instructions? If so, what is the URL?

Switching from an e-mail to a group solved this for us.

role_attribute_path: contains(groups[*], 'grafana.admins@mydomain.com') && 'Admin' || 'Viewer'