Service account API

If you are running Grafana Enterprise and have Fine-grained access control enabled, for some endpoints you would need to have relevant permissions. Refer to specific resources to understand what permissions are required.

Search service accounts with Paging

GET /api/serviceaccounts/search?perpage=10&page=1&query=myserviceaccount

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:readglobal:serviceaccounts:*

Example Request:

  1. GET /api/serviceaccounts/search?perpage=10&page=1&query=mygraf HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=

Default value for the perpage parameter is 1000 and for the page parameter is 1. The totalCount field in the response can be used for pagination of the user list E.g. if totalCount is equal to 100 users and the perpage parameter is set to 10 then there are 10 pages of users. The query parameter is optional and it will return results where the query value is contained in one of the name. Query values with spaces need to be URL encoded e.g. query=Jane%20Doe.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  3. {
  4.     "totalCount": 2,
  5.     "serviceAccounts": [
  6.         {
  7.             "id": 1,
  8.             "name": "grafana",
  9.             "login": "sa-grafana",
  10.             "orgId": 1,
  11.             "isDisabled": false,
  12.             "role": "Viewer",
  13.             "tokens": 0,
  14.             "avatarUrl": "/avatar/85ec38023d90823d3e5b43ef35646af9",
  15.             "accessControl": {
  16.                 "serviceaccounts:delete": true,
  17.                 "serviceaccounts:read": true,
  18.                 "serviceaccounts:write": true
  19.             }
  20.         },
  21.         {
  22.             "id": 2,
  23.             "name": "test",
  24.             "login": "sa-test",
  25.             "orgId": 1,
  26.             "isDisabled": false,
  27.             "role": "Viewer",
  28.             "tokens": 0,
  29.             "avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
  30.             "accessControl": {
  31.                 "serviceaccounts:delete": true,
  32.                 "serviceaccounts:read": true,
  33.                 "serviceaccounts:write": true
  34.             }
  35.         }
  36.     ],
  37.     "page": 1,
  38.     "perPage": 10
  39. }

Create service account

POST /api/serviceaccounts

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:writeserviceaccounts:*

Example Request:

  1. POST /api/serviceaccounts HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=
  6. {
  7.   "name": "grafana",
  8.   "role": "Admin",
  9. }

Requires basic authentication and that the authenticated user is a Grafana Admin.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.     "id": 1,
  6.     "name": "test",
  7.     "login": "sa-test",
  8.     "orgId": 1,
  9.     "isDisabled": false,
  10.     "createdAt": "2022-03-21T14:35:33Z",
  11.     "updatedAt": "2022-03-21T14:35:33Z",
  12.     "avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
  13.     "role": "Viewer",
  14.     "teams": []
  15. }

Get single serviceaccount by Id

GET /api/serviceaccounts/:id

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:readserviceaccounts:*

Example Request:

  1. GET /api/serviceaccounts/1 HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=

Requires basic authentication and that the authenticated user is a Grafana Admin.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.     "id": 1,
  6.     "name": "test",
  7.     "login": "sa-test",
  8.     "orgId": 1,
  9.     "isDisabled": false,
  10.     "createdAt": "2022-03-21T14:35:33Z",
  11.     "updatedAt": "2022-03-21T14:35:33Z",
  12.     "avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
  13.     "role": "Viewer",
  14.     "teams": []
  15. }

Update service account

PATCH /api/serviceaccounts/:id

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:writeserviceaccounts:*

Example Request:

  1. PUT /api/serviceaccounts/2 HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=
  6. {
  7.   "name": "test",
  8.     "role": "Editor"
  9. }

Requires basic authentication and that the authenticated user is a Grafana Admin.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.     "id": 2,
  6.     "name": "test",
  7.     "login": "sa-grafana",
  8.     "orgId": 1,
  9.     "isDisabled": false,
  10.     "createdAt": "2022-03-21T14:35:44Z",
  11.     "updatedAt": "2022-03-21T14:35:44Z",
  12.     "avatarUrl": "/avatar/8ea890a677d6a223c591a1beea6ea9d2",
  13.     "role": "Editor",
  14.     "teams": []
  15. }

Service account tokens

Get service account tokens

GET /api/serviceaccounts/:id/tokens

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:readserviceaccounts:*

Example Request:

  1. GET /api/serviceaccounts/2/tokens HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=

Requires basic authentication and that the authenticated user is a Grafana Admin.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. [
  5.     {
  6.         "id": 1,
  7.         "name": "grafana",
  8.         "role": "Viewer",
  9.         "created": "2022-03-23T10:31:02Z",
  10.         "expiration": null,
  11.         "secondsUntilExpiration": 0,
  12.         "hasExpired": false
  13.     }
  14. ]

Create service account tokens

POST /api/serviceaccounts/:id/tokens

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:writeserviceaccounts:*

Example Request:

  1. POST /api/serviceaccounts/2/tokens HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=
  6. {
  7.     "name": "grafana",
  8.     "role": "Viewer"
  9. }

Requires basic authentication and that the authenticated user is a Grafana Admin.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.     "id": 7,
  6.     "name": "grafana",
  7.     "key": "eyJrIjoiVjFxTHZ6dGdPSjg5Um92MjN1RlhjMkNqYkZUbm9jYkwiLCJuIjoiZ3JhZmFuYSIsImlkIjoxfQ=="
  8. }

Delete service account tokens

DELETE /api/serviceaccounts/:id/tokens/:tokenId

Required permissions

See note in the introduction for an explanation.

ActionScope
serviceaccounts:writeserviceaccounts:*

Example Request:

  1. DELETE /api/serviceaccounts/2/tokens/1 HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Basic YWRtaW46YWRtaW4=

Requires basic authentication and that the authenticated user is a Grafana Admin.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.     "message": "API key deleted"
  6. }