---
title: "Access and permissions for Grafana Alloy | Grafana Alloy documentation"
description: "Set access and permissions for Grafana Alloy through process identity, network exposure, secrets, and component-level access"
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# Access and permissions for Grafana Alloy

Grafana Alloy collects telemetry from hosts, containers, and APIs, then forwards it to observability backends. That telemetry collection requires read access to logs, process data, and cluster resources, plus credentials for remote write and similar endpoints. Your configuration determines which permissions Alloy needs, and your deployment platform determines how you enforce them.

The following settings are common permission options. Not every item applies to every configuration or platform. Use only what matches your components and environment.

01. When your components allow it, run Alloy as a non-root user on [Linux](./linux/), [Kubernetes](./kubernetes/), or a dedicated service account on [Windows](./windows/).
02. If you don’t need remote access to the UI or `/metrics`, restrict the HTTP server to `127.0.0.1` or a private network address with the [`http` block](../reference/config-blocks/http/).
03. When you expose the HTTP server beyond localhost, enable TLS with the [`http` block](../reference/config-blocks/http/).
04. Use TLS for outbound connections. Refer to the [component](../reference/components/) you’re configuring, for example [`prometheus.remote_write`](../reference/components/prometheus/prometheus.remote_write/) for remote write and [`otelcol.exporter.otlp`](../reference/components/otelcol/otelcol.exporter.otlp/) for OTLP.
05. Avoid `insecure_skip_verify = true` in production. Refer to the TLS settings in the [component](../reference/components/) reference, for example [`prometheus.remote_write`](../reference/components/prometheus/prometheus.remote_write/).
06. Store credentials outside configuration files when you can. Refer to [Types and values](../get-started/expressions/types_and_values/).
07. On Kubernetes, set RBAC to the permissions your configuration uses. Refer to [Access and permissions on Kubernetes](./kubernetes/).
08. For container deployments, set `readOnlyRootFilesystem: true` when your volume mounts and components allow it. Refer to [Access and permissions on Kubernetes](./kubernetes/).
09. For container deployments, set `allowPrivilegeEscalation: false` when your components don’t need privilege escalation. Refer to [Access and permissions on Kubernetes](./kubernetes/).
10. Use a dedicated Alloy instance for components that require elevated access, for example [`beyla.ebpf`](../reference/components/beyla/beyla.ebpf/) and [`pyroscope.ebpf`](../reference/components/pyroscope/pyroscope.ebpf/). Refer to each component reference for required capabilities and privileges.

## Process identity and privilege

Create a dedicated service account or user on your deployment platform:

- [Linux](./linux/): systemd service, file permissions, and the `alloy` user
- [Kubernetes](./kubernetes/): `securityContext`, non-root UID, and RBAC
- [Windows](./windows/): service accounts, Windows security groups, and filesystem ACLs

## Network exposure

Alloy runs an HTTP server for its UI, API, and `/metrics` endpoint. The binary binds to `127.0.0.1:12345` by default, which limits exposure to the local machine. The Grafana Helm chart sets `alloy.listenAddr` to `0.0.0.0` by default so other Pods can reach the container on port `12345`. Review what you expose before you change either default.

## Secrets and credentials

You can load secrets at runtime through several patterns:

- [`sys.env()`](../reference/stdlib/sys/#sys.env) in configuration to reference environment variables
- [`remote.vault`](../reference/components/remote/remote.vault/) to load secrets from HashiCorp Vault
- Secrets from the cluster: [remote.kubernetes.secret](../reference/components/remote/remote.kubernetes.secret/)
- [`remote.s3`](../reference/components/remote/remote.s3/) to load configuration or secrets from AWS S3

For `secret`-typed values at runtime and protection from exposure in the UI and component exports, refer to [Types and values](../get-started/expressions/types_and_values/).