diff --git a/docs/sources/administration/organization-management/index.md b/docs/sources/administration/organization-management/index.md index 6c4d52941f3..6303247d62b 100644 --- a/docs/sources/administration/organization-management/index.md +++ b/docs/sources/administration/organization-management/index.md @@ -39,7 +39,7 @@ The following table summarizes the resources you can share and/or isolate using | Notification channels | Isolate only | | Annotations | Isolate only | | Reports | Isolate only | -| API keys | Isolate only | +| Service accounts | Isolate only | | Authentication providers | Share only | | Configuration settings | Share only | | Licenses | Share | diff --git a/docs/sources/administration/roles-and-permissions/_index.md b/docs/sources/administration/roles-and-permissions/_index.md index d7c237394cf..ea04ffab370 100644 --- a/docs/sources/administration/roles-and-permissions/_index.md +++ b/docs/sources/administration/roles-and-permissions/_index.md @@ -71,7 +71,7 @@ Permissions assigned to a user within an organization control the extent to whic - plugins - annotations - library panels -- API keys +- service accounts For more information about managing organization users, see [User management](../user-management/manage-org-users/). diff --git a/docs/sources/developers/http_api/auth.md b/docs/sources/developers/http_api/auth.md deleted file mode 100644 index 898def0691b..00000000000 --- a/docs/sources/developers/http_api/auth.md +++ /dev/null @@ -1,135 +0,0 @@ ---- -aliases: - - ../../http_api/auth/ - - ../../http_api/authentication/ -canonical: /docs/grafana/latest/developers/http_api/auth/ -description: Grafana Authentication HTTP API -keywords: - - grafana - - http - - documentation - - api - - authentication -labels: - products: - - enterprise - - oss -title: 'Authentication HTTP API ' ---- - -# Authentication API - -The Authentication HTTP API is used to manage API keys. - -{{% admonition type="note" %}} -Grafana recommends using service accounts instead of API keys. For more information, refer to [Grafana service account API reference](../serviceaccount/). -{{% /admonition %}} - -> If you are running Grafana Enterprise, for some endpoints you would need to have relevant permissions. Refer to [Role-based access control permissions](../../../administration/roles-and-permissions/access-control/custom-role-actions-scopes/) for more information. - -## List API keys - -{{% admonition type="warning" %}} -This endpoint is deprecated. - -{{% /admonition %}} - -`GET /api/auth/keys` - -**Required permissions** - -See note in the [introduction](#authentication-api) for an explanation. - -| Action | Scope | -| -------------- | ----------- | -| `apikeys:read` | `apikeys:*` | - -**Example Request**: - -```http -GET /api/auth/keys HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk -``` - -Query Parameters: - -- `includeExpired`: boolean. enable listing of expired keys. Optional. - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -[ - { - "id": 3, - "name": "API", - "role": "Admin" - }, - { - "id": 1, - "name": "TestAdmin", - "role": "Admin", - "expiration": "2019-06-26T10:52:03+03:00" - } -] -``` - -## Create API Key - -{{% admonition type="warning" %}} -This endpoint has been made obsolete in Grafana 11.3.0. - -{{% /admonition %}} - -Endpoint is obsolete and has been moved to [Grafana service account API](../serviceaccount/). For more information, refer to [Migrate to Grafana service account API](/docs/grafana//administration/service-accounts/migrate-api-keys/). - -`POST /api/auth/keys` - -**Example Response**: - -```http -HTTP/1.1 410 -Content-Type: application/json - -{"message":"this endpoint has been removed, please use POST /api/serviceaccounts and POST /api/serviceaccounts/{id}/tokens instead"} -``` - -## Delete API Key - -{{% admonition type="warning" %}} - -### DEPRECATED - -{{% /admonition %}} - -`DELETE /api/auth/keys/:id` - -**Required permissions** - -See note in the [introduction](#authentication-api) for an explanation. - -| Action | Scope | -| ---------------- | ---------- | -| `apikeys:delete` | apikeys:\* | - -**Example Request**: - -```http -DELETE /api/auth/keys/3 HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk -``` - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -{"message":"API key deleted"} -``` diff --git a/docs/sources/developers/http_api/serviceaccount.md b/docs/sources/developers/http_api/serviceaccount.md index ba7c2db85f2..928fe7bf84d 100644 --- a/docs/sources/developers/http_api/serviceaccount.md +++ b/docs/sources/developers/http_api/serviceaccount.md @@ -260,134 +260,6 @@ Content-Type: application/json --- -## Migrate API keys to service accounts - -`POST /api/serviceaccounts/migrate` - -**Required permissions** - -See note in the [introduction](#service-account-api) for an explanation. - -| Action | Scope | -| --------------------- | ------------------ | -| serviceaccounts:write | serviceaccounts:\* | - -**Example Request**: - -```http -POST /api/serviceaccounts/migrate HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Basic YWRtaW46YWRtaW4= -``` - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -{ - "message": "API keys migrated to service accounts" -} -``` - -## Migrate API key to service account - -`POST /api/serviceaccounts/migrate/:keyId` - -**Required permissions** - -See note in the [introduction](#service-account-api) for an explanation. - -| Action | Scope | -| --------------------- | ------------------ | -| serviceaccounts:write | serviceaccounts:\* | - -**Example Request**: - -```http -POST /api/serviceaccounts/migrate/4 HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Basic YWRtaW46YWRtaW4= -``` - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -{ - "message": "Service accounts migrated" -} -``` - -## Get API key to service account migration status - -`GET /api/serviceaccounts/migrationstatus` - -**Required permissions** - -See note in the [introduction](#service-account-api) for an explanation. - -| Action | Scope | -| -------------------- | ------------------ | -| serviceaccounts:read | serviceaccounts:\* | - -**Example Request**: - -```http -POST /api/serviceaccounts/migrationstatus HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Basic YWRtaW46YWRtaW4= -``` - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -{ - "migrated": true -} -``` - -## Hide the API keys tab - -`GET /api/serviceaccounts/hideApiKeys` - -**Required permissions** - -See note in the [introduction](#service-account-api) for an explanation. - -| Action | Scope | -| --------------------- | ------------------ | -| serviceaccounts:write | serviceaccounts:\* | - -**Example Request**: - -```http -POST /api/serviceaccounts/hideApiKeys HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Basic YWRtaW46YWRtaW4= -``` - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -{ - "message": "API keys hidden" -} -``` - ## Get service account tokens `GET /api/serviceaccounts/:id/tokens` @@ -500,37 +372,3 @@ Content-Type: application/json "message": "API key deleted" } ``` - -## Revert service account token to API key - -`DELETE /api/serviceaccounts/:serviceAccountId/revert/:keyId` - -This operation will delete the service account and create a legacy API Key for the given `keyId`. - -**Required permissions** - -See note in the [introduction](#service-account-api) for an explanation. - -| Action | Scope | -| ---------------------- | --------------------- | -| serviceaccounts:delete | serviceaccounts:id:\* | - -**Example Request**: - -```http -DELETE /api/serviceaccounts/1/revert/glsa_VVQjot0nijQ59lun6pMZRtsdBXxnFQ9M_77c34a79 HTTP/1.1 -Accept: application/json -Content-Type: application/json -Authorization: Basic YWRtaW46YWRtaW4= -``` - -**Example Response**: - -```http -HTTP/1.1 200 -Content-Type: application/json - -{ - "message": "Reverted service account to API key" -} -``` diff --git a/docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md b/docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md index 872348d4650..34d3ccd8dcb 100644 --- a/docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md +++ b/docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md @@ -133,14 +133,6 @@ In Grafana's audit logs it will still show up as the same service account. Service account access tokens inherit permissions from the service account. -### API keys - -{{< admonition type="note" >}} -Grafana recommends using service accounts instead of API keys. API keys will be deprecated in the near future. For more information, refer to [Grafana service accounts](./#service-accounts). -{{< /admonition >}} - -You can use Grafana API keys to interact with data sources via HTTP APIs. - ## How to work with roles? Grafana roles control the access of users and service accounts to specific resources and determine their authorized actions.