Set up a Grafana connector

Capabilities

Resource	Sync	Provision
Accounts
Organizations

The Grafana connector supports both self-hosted Grafana instances and Grafana Cloud. The required credentials and provisioning behavior differ between the two — see Gather Grafana credentials below. The Grafana connector supports automatic account provisioning and deprovisioning. For self-hosted Grafana, when a new account is created by ConductorOne, the account’s password is sent to a vault. For Grafana Cloud, account creation is invite-based and no connector-generated password is returned.

Grafana Cloud: provisioning organization roles for externally synced usersIn Grafana Cloud, users who sign in through an external identity provider (such as Grafana.com SSO, Okta, Azure AD, or any OAuth/SAML provider) have their organization roles controlled by that provider. By default, Grafana blocks API-level role changes for these users, which prevents ConductorOne from provisioning organization entitlements for them.To allow ConductorOne to manage organization roles for these users, enable Skip org role sync for the relevant SSO provider in your Grafana instance:

In Grafana, go to Administration → Authentication.
Select the SSO provider your users log in with.
Enable Skip org role sync (equivalent to setting skip_org_role_sync = true).

Once this is enabled, Grafana stops overriding org roles on login and ConductorOne becomes the authoritative source for role assignments. This is a global setting that applies to all users under that provider.This step is not required for self-hosted Grafana instances using basic (username/password) authentication.

Gather Grafana credentials

Configuring the connector requires credentials obtained in your Grafana instance. The credentials you need depend on whether you are connecting to Grafana Cloud or a self-hosted Grafana instance.

Grafana Cloud
Self-hosted Grafana

For Grafana Cloud, the connector authenticates using a service account token. Basic username/password authentication is not supported in Cloud mode.To create a service account token:

In your Grafana Cloud instance, go to Administration → Users and access → Service accounts.
Click Add service account, give it a name, and assign it the Admin role.
Open the new service account and click Add service account token.
Copy and save the generated token — it will not be shown again.

You will need:

Your Grafana Cloud instance URL (e.g., https://your-org.grafana.net)
The service account token generated above

That’s it! Next, move on to the connector configuration instructions.

Configure the Grafana connector

To complete this task, you’ll need:

The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Grafana credentials gathered by following the instructions above

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Integrations > Connectors and click Add connector.

Search for Grafana and click Add.

Choose how to set up the new Grafana connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

Find the Settings area of the page and click Edit.

Paste your Grafana instance URL into the Instance URL field.

Enter your credentials based on your Grafana deployment type:

Grafana Cloud: Select “API Key” as the auth method and paste your service account token into the API Token field.
Self-hosted Grafana: Select “Basic Authentication” as the auth method and paste the admin account’s username and password into the Username and Password fields.

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Grafana connector is now pulling access data into ConductorOne.

Follow these instructions to use the Grafana connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Resources

GitHub repository: Access the source code, report issues, or contribute to the project.

Step 1: Set up a new Grafana connector

In ConductorOne, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new Grafana connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Grafana connector deployment. Use the secrets configuration that matches your Grafana deployment type.

Secrets configuration — Grafana Cloud

# baton-grafana-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-grafana-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>

  # Grafana Cloud credentials
  BATON_HOSTNAME: <Grafana Cloud instance URL>       # e.g. https://your-org.grafana.net
  BATON_API_TOKEN: <service account token>

  # Optional: Include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

Secrets configuration — Self-hosted Grafana

# baton-grafana-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-grafana-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>

  # Self-hosted Grafana credentials
  BATON_HOSTNAME: <Grafana instance URL>
  BATON_USERNAME: <Grafana account username>
  BATON_PASSWORD: <Grafana account password>

  # Optional: Include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-grafana.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-grafana
  labels:
    app: baton-grafana
spec:
  selector:
    matchLabels:
      app: baton-grafana
  template:
    metadata:
      labels:
        app: baton-grafana
        baton: true
        baton-app: grafana
    spec:
      containers:
      - name: baton-grafana
        image: ghcr.io/conductorone/baton-grafana:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-grafana
        envFrom:
        - secretRef:
            name: baton-grafana-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In ConductorOne, click Apps. On the Managed apps tab, locate and click the name of the application you added the Grafana connector to. Grafana data should be found on the Entitlements and Accounts tabs.

That’s it! Your Grafana connector is now pulling access data into ConductorOne.

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

Set up a Grafana connector

Capabilities

Gather Grafana credentials

Configure the Grafana connector

Resources

Step 1: Set up a new Grafana connector

Step 2: Create Kubernetes configuration files

Secrets configuration — Grafana Cloud

Secrets configuration — Self-hosted Grafana

Deployment configuration

Step 3: Deploy the connector

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

​Capabilities

​Gather Grafana credentials

​Configure the Grafana connector

​Resources

​Step 1: Set up a new Grafana connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration — Grafana Cloud

​Secrets configuration — Self-hosted Grafana

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather Grafana credentials

Configure the Grafana connector

Resources

Step 1: Set up a new Grafana connector

Step 2: Create Kubernetes configuration files

Secrets configuration — Grafana Cloud

Secrets configuration — Self-hosted Grafana

Deployment configuration

Step 3: Deploy the connector