26 lines
1.0 KiB
Markdown
26 lines
1.0 KiB
Markdown
# grafana-mcp
|
|
|
|
Read-only Grafana MCP. Sherlock imports Grafana Labs' upstream `mcp-grafana` as
|
|
a Go package and registers the read-only search, datasource, Prometheus, Loki,
|
|
alerting, dashboard, folder, navigation, and annotation categories. Exact tool
|
|
behavior belongs to upstream and `cmd/grafana-mcp/main.go`.
|
|
|
|
## Auth
|
|
|
|
`grafana-mcp` uses sherlock-managed OAuth with the wallet key `grafana`. It
|
|
sends a fresh Authentik bearer on every Grafana API request and does not use
|
|
`GRAFANA_SERVICE_ACCOUNT_TOKEN`, `GRAFANA_API_KEY`, or username/password auth.
|
|
|
|
Grafana must accept external JWT bearers on its API through `[auth.jwt]`.
|
|
Generic OAuth is only browser SSO and is not enough for `/api/*` bearer
|
|
validation.
|
|
|
|
## Operation
|
|
|
|
Config is `[services.grafana]`, usually pointing at the shared `sherlock-cli`
|
|
provider plus `base_url`. The first tool call authenticates lazily;
|
|
`grafana-mcp --probe` verifies auth and `GET /api/user`.
|
|
`sherlock logout grafana` clears the session.
|
|
|
|
All exposed tools are read-only and still subject to Grafana RBAC.
|