How to get started

Pomerium Zero
1

I tried to run pomerium integrated with grafana in docker.
Unfortunately it doesn’t work and the documentation is not clear. Please help.

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): latest (docker)
  • Server Operating System/Architecture/Cloud: Windows 11
  • I do not have a public IP address.

What’s your config.yaml?

authenticate_service_url: https://authenticate.pomerium.app

routes:
  - from: https://verify.localhost.pomerium.io
    to: http://verify:8000
    policy:
      - allow:
          or:
            - email:
                is: mha@rublon.com
    pass_identity_headers: true

  - from: https://grafana.localhost.pomerium.io
    to: http://grafana:3000
    allow_any_authenticated_user: true

docker-compose.yaml

services:
  pomerium:
    image: pomerium/pomerium:latest
    volumes:
      - ./config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443
    networks:
      main:
        aliases:
          - authenticate.localhost.pomerium.app
  verify:
    image: pomerium/verify:latest
    environment:
      - JWKS_ENDPOINT=https://pomerium/.well-known/pomerium/jwks.json
    expose:
      - 8000
  grafana:
    image: grafana/grafana:latest
    ports:
      - 3000:3000
    networks:
      main: {}
    environment:
      - GF_AUTH_SIGNOUT_REDIRECT_URL=https://grafana.localhost.pomerium.app/.pomerium/sign_out
      - GF_AUTH_JWT_ENABLED=true
      - GF_AUTH_JWT_HEADER_NAME=X-Pomerium-Jwt-Assertion
      - GF_AUTH_JWT_EMAIL_CLAIM=sub
      - GF_AUTH_JWT_USERNAME_CLAIM=sub
      - GF_AUTH_JWT_JWK_SET_URL=https://authenticate.localhost.pomerium.app/.well-known/pomerium/jwks.json
      - GF_AUTH_JWT_CACHE_TTL=60m
      - GF_AUTH_JWT_AUTO_SIGN_UP=true
    volumes:
      - ./grafana-storage:/var/lib/grafana
  
networks:
  main:

grafana
grafana1075×723 261 KB

2

Welcome, and thanks for using Pomerium!

There’s a few things of interest here.

  1. Make sure to specify pass_identity_headers: true in your route definition for Grafana.

  2. What happens when you navigate to https://verify.localhost.pomerium.io ? Do you have a Signing Key | Pomerium specified? It makes sense not to post your key on a public forum, but in the absence of a key, JWT validation will fail and access will be limited.

I understand you’re using Pomerium Core (as opposed to Pomerium Zero), but our guide to Securing Grafana with Pomerium | Pomerium should still provide the relevant settings to get you past this by configuring JWT-based auth for Grafana.

Let me know how it goes!