Struggling to find docs on how to get local Grafana running via a docker-compose.yml working nicely with the AWS CLI.
I’ve tried:
services:
grafana:
image: grafana/grafana
ports: ['3000:3000']
environment:
GF_SECURITY_ADMIN_PASSWORD: foobar
GF_AUTH_ANONYMOUS_ENABLED: true
GF_INSTALL_PLUGINS: grafana-athena-datasource
volumes:
- ~/.aws:/home/grafana/.aws
And: - ~/.aws:/root/.aws and the cli doesn’t seem to get imported.
So increase log level and check debug logs for more details. It can be permissions issue, wrong location, …
Any luck with this?
This is what I get with GF_LOG_LEVEL=debug
grafana_1 | logger=token t=2025-01-14T18:05:59.374529561Z level=debug msg=FeatureEnabled feature=accesscontrol.enforcement enabled=false licenseStatus=NotFound hasLicense=false hasValidLicense=false products=[]
grafana_1 | logger=id-service t=2025-01-14T18:05:59.377412489Z level=debug msg="Cached token found" id=user:1
grafana_1 | logger=accesscontrol t=2025-01-14T18:05:59.378080472Z level=debug msg="Evaluating permissions" id=user:1 orgID=1 permissions="action:datasources:query scopes:"
grafana_1 | logger=datasources t=2025-01-14T18:05:59.378748456Z level=debug msg="Querying for data source via SQL store" id=1 orgId=1
grafana_1 | logger=token t=2025-01-14T18:05:59.380338416Z level=debug msg=FeatureEnabled feature=dspermissions.enforcement enabled=false licenseStatus=NotFound hasLicense=false hasValidLicense=false products=[]
grafana_1 | logger=secrets.kvstore t=2025-01-14T18:05:59.381979376Z level=debug msg="got secret value" orgId=1 type=datasource namespace=grafana-timestream-datasource
grafana_1 | logger=plugin.grafana-timestream-datasource t=2025-01-14T18:05:59.38825722Z level=debug msg="Plugin Request Started" dsName=grafana-timestream-datasource dsUid=be9zlh7ojcpogd endpoint=callResource pluginId=grafana-timestream-datasource uname=admin
grafana_1 | logger=plugin.grafana-timestream-datasource t=2025-01-14T18:05:59.388678209Z level=debug msg="Authenticating towards AWS with default SDK method" region=us-east-1
grafana_1 | logger=plugin.grafana-timestream-datasource t=2025-01-14T18:05:59.390345168Z level=debug msg="Successfully created AWS session"
grafana_1 | logger=ngalert.scheduler t=2025-01-14T18:06:00.002461957Z level=debug msg="Alert rules fetched" rulesCount=0 foldersCount=0 updatedRules=0
grafana_1 | logger=plugin.grafana-timestream-datasource t=2025-01-14T18:06:01.126585028Z level=error msg="Plugin Request Completed" uname=admin dsName=grafana-timestream-datasource statusSource=plugin dsUid=be9zlh7ojcpogd duration=1.738311809s endpoint=callResource error="NoCredentialProviders: no valid providers in chain\ncaused by: EnvAccessKeyNotFound: failed to find credentials in the environment.\nSharedCredsLoad: failed to load profile, myawsssoprofile.\nEC2RoleRequestError: no EC2 instance role found\ncaused by: RequestError: send request failed\ncaused by: Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\": dial tcp 169.254.169.254:80: connect: connection refused" pluginId=grafana-timestream-datasource status=error
grafana_1 | logger=context userId=1 orgId=1 uname=admin t=2025-01-14T18:06:01.128770974Z level=error msg=InternalError error="[plugin.downstreamError] client: failed to call resources: failed to receive call resource response: rpc error: code = Unknown desc = NoCredentialProviders: no valid providers in chain\ncaused by: EnvAccessKeyNotFound: failed to find credentials in the environment.\nSharedCredsLoad: failed to load profile, myawsssoprofile.\nEC2RoleRequestError: no EC2 instance role found\ncaused by: RequestError: send request failed\ncaused by: Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\": dial tcp 169.254.169.254:80: connect: connection refused" remote_addr=172.23.0.1 traceID=
grafana_1 | logger=context userId=1 orgId=1 uname=admin t=2025-01-14T18:06:01.129131965Z level=error msg="Request Completed" method=GET path=/api/datasources/1/resources/databases status=500 remote_addr=172.23.0.1 time_ms=1758 duration=1.758698303s size=116 referer=http://localhost:3000/connections/datasources/edit/be9zlh7ojcpogd handler=/api/datasources/:id/resources/* status_source=downstream
I already did
aws sso login
and verified that the following is created:
~/.aws/sso/...
And I am amounting entire ~/.aws to container:
volumes:
- ~/.aws:/home/grafana/.aws:ro
I tried different volume mounts without a luck.
Looking at the source, looks like grafana does not support aws sso:
grafana uses aws go v1. And to use sso with v1, it needs to enable SharedConfigEnable: