Using provisioning for Webhook Notification Channel, need to store an encrypted password

coreyabma · August 14, 2020, 1:06pm

Hi all,
I’m looking to create a provisioning config file for a Notification Channel within Grafana. In particular, this will be a webhook for a custom endpoint, and the endpoint requires a username/password.
Normally, we’ll use an encryption library like Jasypt for storing passwords in files accessed by Java programs. However, there doesn’t seem to be such an equivalent for Grafana. Has anyone found a suitable workaround or alternative for this? The goal is to not have the password stored in plaintext in the provisioning file.

For reference, here’s what the provisioning file currently looks like:

 # # config file version
apiVersion: 1

notifiers:
  - name: ExampleChannel
    type: webhook
    uid: notifier1
    orgId: 1
    is_default: false
    send_reminder: true
    frequency: 5m
    disable_resolve_message: false
    settings:
      uploadImage: false
      url: https://myURL:8080
      username: myUsername
      password: myPasswordThatNeedsEncryption
delete_notifiers:
  - name: ExampleChannel
    orgId: 1
    uid: notifier1

emiltullstedt · August 14, 2020, 1:25pm

It depends a little on your setup. We don’t support any form of secret encryption mechanism directly in Grafana, but you can separate out the secret deployment from the provisioning files.

If you can place the secret in a plaintext file somewhere on the file system you can access it with the $__file variable expander $__file{/mount/secrets/path} (new feature in v7.1), otherwise you could use an environment variable ${GRAFANA_WEBHOOK_SECRET} (this works for older versions as well).

p.s. If you’re running Grafana Enterprise the best way to do this is to use our new Hashicorp Vault integration.

coreyabma · August 14, 2020, 2:18pm

Great, thank you! I’ll give the environment variable approach a try.