Using provisioning for Webhook Notification Channel, need to store an encrypted password

Hi all,
I’m looking to create a provisioning config file for a Notification Channel within Grafana. In particular, this will be a webhook for a custom endpoint, and the endpoint requires a username/password.
Normally, we’ll use an encryption library like Jasypt for storing passwords in files accessed by Java programs. However, there doesn’t seem to be such an equivalent for Grafana. Has anyone found a suitable workaround or alternative for this? The goal is to not have the password stored in plaintext in the provisioning file.

For reference, here’s what the provisioning file currently looks like:

 # # config file version
apiVersion: 1

  - name: ExampleChannel
    type: webhook
    uid: notifier1
    orgId: 1
    is_default: false
    send_reminder: true
    frequency: 5m
    disable_resolve_message: false
      uploadImage: false
      url: https://myURL:8080
      username: myUsername
      password: myPasswordThatNeedsEncryption
  - name: ExampleChannel
    orgId: 1
    uid: notifier1

It depends a little on your setup. We don’t support any form of secret encryption mechanism directly in Grafana, but you can separate out the secret deployment from the provisioning files.

If you can place the secret in a plaintext file somewhere on the file system you can access it with the $__file variable expander $__file{/mount/secrets/path} (new feature in v7.1), otherwise you could use an environment variable ${GRAFANA_WEBHOOK_SECRET} (this works for older versions as well).

p.s. If you’re running Grafana Enterprise the best way to do this is to use our new Hashicorp Vault integration.

1 Like

Great, thank you! I’ll give the environment variable approach a try.