Support X-Access-Token for Grafana Cloud

mcpgrafana.go

@@ -40,6 +40,7 @@ func urlAndAPIKeyFromHeaders(req *http.Request) (string, string) {
 
 type grafanaURLKey struct{}
 type grafanaAPIKeyKey struct{}
+type grafanaAccessTokenKey struct{}
 
 // grafanaDebugKey is the context key for the Grafana transport's debug flag.
 type grafanaDebugKey struct{}
@@ -103,6 +104,12 @@ func WithGrafanaAPIKey(ctx context.Context, apiKey string) context.Context {
 	return context.WithValue(ctx, grafanaAPIKeyKey{}, apiKey)
 }
 
+// WithGrafanaAccessToken adds the Grafana access token to the context. An
+// access token is used for on-behalf-of auth in Grafana Cloud.
+func WithGrafanaAccessToken(ctx context.Context, accessToken string) context.Context {
+	return context.WithValue(ctx, grafanaAccessTokenKey{}, accessToken)
+}
+
 // GrafanaURLFromContext extracts the Grafana URL from the context.
 func GrafanaURLFromContext(ctx context.Context) string {
 	if u, ok := ctx.Value(grafanaURLKey{}).(string); ok {
@@ -119,6 +126,15 @@ func GrafanaAPIKeyFromContext(ctx context.Context) string {
 	return ""
 }
 
+// GrafanaAccessTokenFromContext extracts a Grafana access token from the context.
+// An access token is used for on-behalf-of auth in Grafana Cloud.
+func GrafanaAccessTokenFromContext(ctx context.Context) string {
+	if k, ok := ctx.Value(grafanaAccessTokenKey{}).(string); ok {
+		return k
+	}
+	return ""
+}
+
 type grafanaClientKey struct{}
 
 func makeBasePath(path string) string {

tools/alerting_client.go

@@ -21,9 +21,10 @@ const (
 )
 
 type alertingClient struct {
-	baseURL    *url.URL
-	apiKey     string
-	httpClient *http.Client
+	baseURL     *url.URL
+	accessToken string
+	apiKey      string
+	httpClient  *http.Client
 }
 
 func newAlertingClientFromContext(ctx context.Context) (*alertingClient, error) {
@@ -34,8 +35,9 @@ func newAlertingClientFromContext(ctx context.Context) (*alertingClient, error)
 	}
 
 	return &alertingClient{
-		baseURL: parsedBaseURL,
-		apiKey:  mcpgrafana.GrafanaAPIKeyFromContext(ctx),
+		baseURL:     parsedBaseURL,
+		accessToken: mcpgrafana.GrafanaAccessTokenFromContext(ctx),
+		apiKey:      mcpgrafana.GrafanaAPIKeyFromContext(ctx),
 		httpClient: &http.Client{
 			Timeout: defaultTimeout,
 		},
@@ -53,7 +55,10 @@ func (c *alertingClient) makeRequest(ctx context.Context, path string) (*http.Re
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Content-Type", "application/json")
 
-	if c.apiKey != "" {
+	// If accessToken is set we use that first and fall back to normal Authorization.
+	if c.accessToken != "" {
+		req.Header.Set("X-Access-Token", c.accessToken)
+	} else if c.apiKey != "" {
 		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.apiKey))
 	}
 

tools/loki.go

@@ -50,13 +50,18 @@ func newLokiClient(ctx context.Context, uid string) (*Client, error) {
 		return nil, err
 	}
 
-	grafanaURL, apiKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL  = mcpgrafana.GrafanaURLFromContext(ctx)
+		apiKey      = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+		accessToken = mcpgrafana.GrafanaAccessTokenFromContext(ctx)
+	)
 	url := fmt.Sprintf("%s/api/datasources/proxy/uid/%s", strings.TrimRight(grafanaURL, "/"), uid)
 
 	client := &http.Client{
 		Transport: &authRoundTripper{
-			apiKey:     apiKey,
-			underlying: http.DefaultTransport,
+			accessToken: accessToken,
+			apiKey:      apiKey,
+			underlying:  http.DefaultTransport,
 		},
 	}
 
@@ -163,12 +168,15 @@ func (c *Client) fetchData(ctx context.Context, urlPath string, startRFC3339, en
 }
 
 type authRoundTripper struct {
-	apiKey     string
-	underlying http.RoundTripper
+	accessToken string
+	apiKey      string
+	underlying  http.RoundTripper
 }
 
 func (rt *authRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	if rt.apiKey != "" {
+	if rt.accessToken != "" {
+		req.Header.Set("X-Access-Token", rt.accessToken)
+	} else if rt.apiKey != "" {
 		req.Header.Set("Authorization", "Bearer "+rt.apiKey)
 	}
 

tools/oncall.go

@@ -57,7 +57,10 @@ func getOnCallURLFromSettings(ctx context.Context, grafanaURL, grafanaAPIKey str
 
 func oncallClientFromContext(ctx context.Context) (*aapi.Client, error) {
 	// Get the standard Grafana URL and API key
-	grafanaURL, grafanaAPIKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL    = mcpgrafana.GrafanaURLFromContext(ctx)
+		grafanaAPIKey = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	)
 
 	// Try to get OnCall URL from settings endpoint
 	grafanaOnCallURL, err := getOnCallURLFromSettings(ctx, grafanaURL, grafanaAPIKey)
@@ -67,6 +70,7 @@ func oncallClientFromContext(ctx context.Context) (*aapi.Client, error) {
 
 	grafanaOnCallURL = strings.TrimRight(grafanaOnCallURL, "/")
 
+	// TODO: Allow access to OnCall using an access token instead of an API key.
 	client, err := aapi.NewWithGrafanaURL(grafanaOnCallURL, grafanaAPIKey, grafanaURL)
 	if err != nil {
 		return nil, fmt.Errorf("creating OnCall client: %w", err)

tools/prometheus.go

@@ -33,10 +33,22 @@ func promClientFromContext(ctx context.Context, uid string) (promv1.API, error)
 		return nil, err
 	}
 
-	grafanaURL, apiKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL  = mcpgrafana.GrafanaURLFromContext(ctx)
+		apiKey      = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+		accessToken = mcpgrafana.GrafanaAccessTokenFromContext(ctx)
+	)
 	url := fmt.Sprintf("%s/api/datasources/proxy/uid/%s", strings.TrimRight(grafanaURL, "/"), uid)
 	rt := api.DefaultRoundTripper
-	if apiKey != "" {
+	if accessToken != "" {
+		rt = config.NewHeadersRoundTripper(&config.Headers{
+			Headers: map[string]config.Header{
+				"X-Access-Token": config.Header{
+					Secrets: []config.Secret{config.Secret(accessToken)},
+				},
+			},
+		}, rt)
+	} else if apiKey != "" {
 		rt = config.NewAuthorizationCredentialsRoundTripper(
 			"Bearer", config.NewInlineSecret(apiKey), rt,
 		)

tools/sift.go

@@ -97,11 +97,12 @@ type siftClient struct {
 	url    string
 }
 
-func newSiftClient(url, apiKey string) *siftClient {
+func newSiftClient(url, accessToken, apiKey string) *siftClient {
 	client := &http.Client{
 		Transport: &authRoundTripper{
-			apiKey:     apiKey,
-			underlying: http.DefaultTransport,
+			accessToken: accessToken,
+			apiKey:      apiKey,
+			underlying:  http.DefaultTransport,
 		},
 	}
 	return &siftClient{
@@ -112,9 +113,13 @@ func newSiftClient(url, apiKey string) *siftClient {
 
 func siftClientFromContext(ctx context.Context) (*siftClient, error) {
 	// Get the standard Grafana URL and API key
-	grafanaURL, grafanaAPIKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL         = mcpgrafana.GrafanaURLFromContext(ctx)
+		grafanaAPIKey      = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+		grafanaAccessToken = mcpgrafana.GrafanaAccessTokenFromContext(ctx)
+	)
 
-	client := newSiftClient(grafanaURL, grafanaAPIKey)
+	client := newSiftClient(grafanaURL, grafanaAccessToken, grafanaAPIKey)
 
 	return client, nil
 }