Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Security and account managementbreadcrumb arrow Authentication and authorization
Grafana Cloud

Configure authentication and authorization

You can configure various methods to allow users to access your Grafana Cloud instance. To authorize requests to Grafana Cloud resources that do not involve users you can use Grafana Cloud Access Policies.

User authentication

Grafana Cloud uses OAuth 2.0 with Grafana.com as the default authentication provider. Additional authentication and authorization methods, such as LDAP, SAML, and OAuth, can also be configured for your Grafana Cloud instance. For detailed guidance, refer to the Grafana documentation on authentication.

User authorization

Understand Grafana Cloud authentication layers

Grafana Cloud has two authentication layers that work together by default but can be separated for larger organizations.

Default model: Cloud Portal as the identity provider

By default, the Cloud Portal (grafana.com) acts as the identity provider for your stacks:

  • Users authenticate to grafana.com
  • They automatically have access to all stacks in your organization
  • Their Cloud Portal role (Admin, Editor, Viewer) is inherited by every stack
  • Works well for: Small teams (<20 users) with simple access needs

Cloud Portal authentication options:

  • Username/password (basic auth)
  • Social login (Google, GitHub, Microsoft, Amazon)
  • SAML SSO (Private Preview)

Layered model: Separate Cloud Portal and Stack authentication

For larger organizations, you can separate these authentication layers:

  • Cloud Portal: Small group of platform admins manage billing, stacks, cloud settings
  • Stack-level: Engineers authenticate directly to stacks (your-org.grafana.net), never access grafana.com

In this model, Cloud Portal access does not automatically grant stack access. You must explicitly add users to each stack.

Works well for: Larger teams (50+ users), enterprises with governance requirements

Stack authentication options: Stack-level authentication supports multiple authentication methods including SAML, OAuth, OIDC, LDAP, and SCIM provisioning.

Feature availability by layer

FeatureCloud PortalStack LevelNotes
Basic authUsername/password
Social loginGoogle, GitHub, Microsoft, Amazon
SAML SSO✅ (Private Preview)Separate configs for each layer
SCIM provisioningStack-level only (Okta, Entra ID)
OAuth/OIDCCustom OAuth providers via IdP
LDAPActive Directory integration
RBAC✅ (Cloud org roles)✅ (Stack roles)Different permission models
Access PoliciesCloud-level API access control
Service accountsStack-level only

Configuring user roles

You can configure user roles either through the Cloud Portal or directly within your Grafana instance:

  • Using the Grafana Cloud Portal: Roles configured in the Grafana Cloud Portal will automatically propagate to your Grafana instances (default model). To learn more about the specific capabilities assigned to each role, see User account roles and permissions.
  • Directly in your Grafana instance: Configure roles within a specific Grafana instance using role-based access control.

Service accounts vs Cloud Access Policies

Both service accounts and Cloud Access Policies provide machine-to-machine authentication, but they serve different purposes and access different APIs.

AspectService AccountsCloud Access Policies
PurposeManage Grafana resources (dashboards, users, alerts)Read/write telemetry data (metrics, logs, traces) and manage cloud resources
API AccessGrafana HTTP API (/api/dashboards, /api/users, etc.)Cloud API + data APIs (Mimir, Loki, Tempo)
ScopeStack-level (single organization)Cloud-level (can be org-wide or single stack)
Permissions ModelRBAC roles (Viewer, Editor, Admin)Fine-grained scopes (metrics:read, logs:write)
Common Use CasesDashboard provisioning, Terraform, user management, scheduled reportsGrafana Agent setup, querying logs/metrics, stack management via Cloud API
Cannot AccessMimir/Loki/Tempo data APIsGrafana HTTP API (dashboards, users, etc.)

When to use:

  • Service accounts: Automating Grafana UI tasks (creating dashboards, managing users, configuring data sources)
  • Cloud Access Policies: Sending or querying telemetry data (metrics, logs, traces), or managing stacks via Cloud API

For more information, refer to:

Authorize a service using access policies

You can use Grafana Cloud Access Policies and tokens to authorize requests to Grafana Cloud resources that do not involve users.