2
2
Table of Contents

Amazon Managed Grafana (AMG) provides a secure, scalable way to visualize and analyze data from multiple sources. One of the key requirements in enterprise environments is integrating Grafana with existing identity providers for Single Sign-On (SSO).

In this post, we’ll configure Amazon Managed Grafana to use Google Workspace as an Identity Provider via SAML 2.0 so your users can log into Grafana with their Google credentials.

Prerequisites

1. Create an Organizational Unit (OU) in Google Workspace (e.g., GrafanaUsers) and place intended Grafana users in it. By default, they’ll have read-only access.

Create an Organizational Unit (OU)

2. Decide who should be Grafana admins and, for each, set User Information →  Employee Information → Department = Grafana in the Google Admin Console.
Decide who should be Grafana admins

You can also use a custom field or any available field here, but note that it has to be updated in Step 3 too.

3. (Optional) Create environment-specific groupings if you run multiple workspaces (dev/stage/prod).

Steps to Enable Amazon Managed Grafana Sign-In with Google Workspace 

Step 1: Create a Custom SAML App in Google Workspace

In Google Admin Console → Apps → Add custom SAML app, create a new app (e.g., Amazon Managed Grafana Prod) and download the IdP metadata file.
When asked for the service provider details, take a pause and move on to Step 2 of this blog.

Create a Custom SAML App in Google Workspace
Step 2: Configure SAML in Amazon Managed Grafana

Open Amazon Managed Grafana → your workspace → Authentication → Security Assertion Markup Language (SAML) → Complete Setup. Copy the values AWS shows for:

  • ACS URL (Assertion Consumer Service URL)
  • Entity ID
  • (Optional) Start URL

Configure SAML in Amazon Managed Grafana
Put these values in the Google Workspace page where you were setting up the SAML app.

Put these values in the Google Workspace page where you were setting up the SAML app.
Step 3: Attribute Mapping

In your Google Workspace SAML app, add these mappings so Grafana can assign identities and roles correctly:

mappings so Grafana can assign identities and roles correctly

Attribute Mapping
Step 4: Assign Access

In the Google Workspace SAML app User Access, target the GrafanaUsers OU and set Service status = On, then hit the Override button.

Assign Access

Step 5: Upload IdP Metadata & Finish SAML Config (in Amazon Managed Grafana)

Upload the IdP metadata you downloaded from Google Workspace and complete the following fields:

Upload the IdP metadata you downloaded from Google Workspace

Step 6: Test

Visit your Grafana URL and click Sign in with SAML. You’ll be redirected to Google to pick/confirm the permitted account and then returned to Grafana.

Sign in to Amazon Managed Grafana

If you see “app not enabled for user”, verify:

  • The user is in the Grafana OU.
  • The OU is assigned to the SAML app.
  • Wait for up to 15 minutes for Google Workspace changes to propagate.

Wrap-up

With this configuration, your organization centralizes authentication for Amazon Managed Grafana using Google Workspace. It simplifies onboarding, keeps roles consistent, and leverages your existing identity controls.

Questions or need assistance? Contact CloudKeeper for personalized support and ensure your cloud infrastructure setup runs smoothly.

You may also like

Thumbnail

99% of companies saved up to 15% monthly with this plan & achieved peak performance.

Download Whitepaper
12
Let's discuss your cloud challenges and see how CloudKeeper can solve them all!
Connect with us
Meet the Author
  • Simran
    Simran Kamal
    DevOps Engineer

    Simran has a knack for integrating tools and automating workflows to improve efficiency and scalability.

Leave a Comment

Speak with our advisors to learn how you can take control of your Cloud Cost

Contact us
  • 1
  • 2
  • 3
  • 5
  • 6
  • 8
  • 9
  • 10