Implementing Amazon Cognito Authentication for Grafana

Created on 2025-03-15 13:29

Published on 2025-03-15 14:52

In this guide, we’ll walk through implementing Amazon Cognito Authentication for Grafana.

There are 4 high-level key steps -

Setting up Grafana on ubuntu EC2 instance.
Creating Amazon Cognito User Pool, App client.
Setting up Nginx Reverse Proxy and using Certbot for SSL
Updating Grafana Configurations to use Cognito Authentication

Let’s dive in.

Let's create a ubuntu machine and install necessary packages and Grafana on it.

Add Grafana APT Repository -

Install Grafana -

Enable, start and verify Grafana Service -

Now, We will be creating a Route53 A record for your machine IP. This will help us further. I already have a domain name with me - awsverse.xyz

On AWS Console, go to Amazon Cognito Service. We will have to provide a name, a configuration option for sign-in identifiers and required attribute for sign up. We will be selecting email here as we want our users to use email to sign in.

Creating Amazon Cognito User Pool

Next, to create an app client, we will go to the "App integration" section, click "Create an app client", provide a name, configure authentication settings, and enable necessary OAuth flows. Finally, we will update the app client settings to allow required authentication flows and save the configuration.

Now we have created Amazon Cognito User Pool, App Client and have made necessary changes to the configurations.

We will be using Nginx as a reverse proxy. Nginx will handle client requests and forward them to the Grafana services while optimizing performance and security. In Callback URLs, only HTTPS is supported. So, For SSL/TLS encryption, we will use Certbot, a free and automated tool provided by Let’s Encrypt, to generate and manage SSL certificates. Certbot ensures that our remains secure by enabling HTTPS, encrypting data in transit. This setup enhances both security and performance, providing a seamless and secure user experience.

Create a file /etc/nginx/sites-available/grafana.conf with the following content:

Enable and test the configuration. Also, restart the nginx service again.

Successfully deployed the certificate using Certbot

Use Certbot to generate and deploy the certificates. Below is the command the reference image is above.

Grafana Login Page

We will be able to see the Grafana Login Page.

Now, we have to implement the Amazon Cognito Authentication. For that we need to make modifications in /etc/grafana/grafana.ini file.

Before that we check and configure a domain in the Amazon Cognito console.

Domain

Now, we will update the /etc/grafana/grafana.ini file. We will get all of these details from the Amazon Cognito Console. Here's how the grafana.ini file looks like after adding the AWS Cognito related configurations.

Save the file and restart the Grafana Service.

After that go to Amazon Cognito Console, and update the callback URL, logout URL and scope.

Update Callback URL and Sign Out URL

After that go to the Grafana webpage and refresh it. You will be able to see the option to sign in using Amazon Cognito.

Grafana Login Page

When you click "Sign in with AWS Cognito", it will redirect you to the Managed Login Page of Amazon Cognito.

Cognito Managed Hosted UI

Now, we will go and create a user for us. The user will get confirm once we login.

Users in Amazon Cognito Console

Using the email id and password we will be able to login to the Grafana. Following is the URL which is redirect when we click "Sign in with Amazon Cognito"