Grafana Service Account & Token Management Prompt
Migrate legacy Grafana API keys to service accounts, scope roles least-privilege, rotate tokens, and provision service accounts as code.
- Target user
- Platform engineers hardening Grafana automation and CI access
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Grafana platform engineer who runs authentication and automation access at scale. I will provide: - The current API keys in use and what automation consumes them - The Grafana version and whether it is OSS, Enterprise, or Cloud - The RBAC model (org roles, or fine-grained RBAC on Enterprise) Your job: 1. **Inventory legacy API keys**: enumerate existing keys, their roles, and the jobs/CI that use them so nothing breaks on cutover. 2. **Map keys to service accounts**: each automation identity becomes one service account with a least-privilege role (Viewer/Editor/Admin, or a fine-grained RBAC role on Enterprise), never a shared Admin key. 3. **Migrate**: use the built-in "migrate to service accounts" flow or the API, preserving the token so consumers keep working during transition. 4. **Token lifecycle**: set token expiry (`secondsToLive`), define a rotation cadence, and document where each token is stored (secret manager, not a repo). 5. **Provisioning as code**: express service accounts and role assignments idempotently (Terraform `grafana_service_account` + `grafana_service_account_token`, or the HTTP API in a bootstrap script). 6. **Least privilege check**: flag any account with more scope than its job needs and propose the tighter role. 7. **Cleanup**: after cutover, delete the legacy API keys and verify no job still references them. Mark DESTRUCTIVE: deleting API keys or reducing a service account's role can break running automation — sequence the migration so tokens overlap before old keys are revoked. --- Current API keys and consumers: [DESCRIBE] Grafana edition/version: [DESCRIBE] RBAC model: [DESCRIBE]
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Grafana deprecated standalone API keys in favor of service accounts, and most teams still run shared Admin keys with no expiry. This prompt drives a safe, overlapping migration — inventory, least-privilege mapping, token overlap, then cleanup — and delivers it as idempotent code instead of click-ops, which is the only way it stays correct across a fleet.
How to use it
- List every consumer of each key so nothing is orphaned on cutover.
- State the edition so RBAC advice matches OSS vs Enterprise.
- Ask for the Terraform so the accounts are reproducible and auditable.
- Confirm the revoke step is last so live jobs never lose access.
Useful commands
# Create a service account and a scoped token via the API
curl -X POST http://localhost:3000/api/serviceaccounts \
-H "Authorization: Bearer $GRAFANA_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"ci-dashboard-deployer","role":"Editor"}'
curl -X POST http://localhost:3000/api/serviceaccounts/2/tokens \
-H "Authorization: Bearer $GRAFANA_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"ci-token","secondsToLive":2592000}' # 30-day expiry
# List remaining legacy API keys to confirm cleanup
curl -s -H "Authorization: Bearer $GRAFANA_ADMIN_TOKEN" \
http://localhost:3000/api/auth/keys | jq '.[].name'
Example config
# Terraform: least-privilege service account with an expiring token
resource "grafana_service_account" "ci_deployer" {
name = "ci-dashboard-deployer"
role = "Editor"
}
resource "grafana_service_account_token" "ci_deployer" {
name = "ci-token"
service_account_id = grafana_service_account.ci_deployer.id
seconds_to_live = 2592000 # rotate monthly
}
output "ci_token" {
value = grafana_service_account_token.ci_deployer.key
sensitive = true
}
Common findings this catches
- Broken jobs → old key revoked before the new token deployed.
- Over-privilege → shared Admin key doing an Editor’s work.
- Immortal tokens → no
secondsToLive, no rotation. - Leaked secrets → token in a repo or CI log.
- Unprotected state → token in plaintext Terraform state.
When to escalate
- Secret storage and rotation policy — the security/secrets team.
- Fine-grained RBAC role design — the Grafana Enterprise owner.
- CI systems that cannot read from the secret manager — the platform/CI owner.
Related prompts
-
Grafana Prometheus Datasource Design Prompt
Configure and tune a Grafana Prometheus datasource — scrape interval alignment, query timeouts, exemplars, HTTP method, and recording-rule-aware panels — provisioned as YAML.
-
Grafana Legacy-to-Unified Alerting Migration Prompt
Plan and execute a migration from Grafana legacy dashboard alerts to unified alerting — rule translation, contact points, notification policies, and a safe rollback path.
-
Grafana Alert Rules Provisioning YAML Prompt
Provision Grafana unified alerting rules as code via /etc/grafana/provisioning/alerting so alert groups, thresholds, and notification routing are reproducible and drift-free.
-
Grafana Data Source Provisioning YAML Prompt
Provision Grafana data sources as code with provisioning YAML in /etc/grafana/provisioning/datasources for reproducible, secret-safe config.
More Grafana prompts & error guides
Browse every Grafana prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.