---
title: "otelcol.auth.sigv4 | Grafana Alloy documentation"
description: "Learn about otelcol.auth.sigv4"
---

# `otelcol.auth.sigv4`

`otelcol.auth.sigv4` exposes a `handler` that other `otelcol` components can use to authenticate requests to AWS services using the AWS Signature Version 4 (SigV4) protocol. For more information about SigV4 refer to the AWS documentation about [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing-aws-api-requests.html).

This component only supports client authentication.

> Note
> 
> `otelcol.auth.sigv4` is a wrapper over the upstream OpenTelemetry Collector [`sigv4auth`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.147.0/extension/sigv4authextension) extension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

You can specify multiple `otelcol.auth.sigv4` components by giving them different labels.

> Note
> 
> Alloy must have valid AWS credentials as used by the [AWS SDK for Go](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials).

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.auth.sigv4 "<LABEL>" {
}
```

## Arguments

You can use the following arguments with `otelcol.auth.sigv4`:

Expand table

| Name      | Type     | Description                   | Default | Required |
|-----------|----------|-------------------------------|---------|----------|
| `region`  | `string` | The AWS region to sign with.  | `""`    | no       |
| `service` | `string` | The AWS service to sign with. | `""`    | no       |

If `region` and `service` are left empty, their values are inferred from the URL of the exporter using the following rules:

- If the exporter URL starts with `aps-workspaces` and `service` is empty, `service` will be set to `aps`.
- If the exporter URL starts with `search-` and `service` is empty, `service` will be set to `es`.
- If the exporter URL starts with either `aps-workspaces` or `search-` and `region` is empty, `region` will be set to the value between the first and second `.` character in the exporter URL.

If none of the above rules apply, then `region` and `service` must be specified.

A list of valid AWS regions can be found on Amazon’s documentation for [Regions, Availability Zones, and Local Zones](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html).

## Blocks

You can use the following blocks with `otelcol.auth.sigv4`:

No valid configuration blocks found.

### `assume_role`

The `assume_role` block specifies the configuration needed to assume a role.

Expand table

| Name           | Type     | Description                                                     | Default | Required |
|----------------|----------|-----------------------------------------------------------------|---------|----------|
| `arn`          | `string` | The Amazon Resource Name (ARN) of a role to assume.             | `""`    | no       |
| `session_name` | `string` | The name of a role session.                                     | `""`    | no       |
| `sts_region`   | `string` | The AWS region where STS is used to assume the configured role. | `""`    | no       |

If the `assume_role` block is specified in the configuration and `sts_region` isn’t set, then `sts_region` will default to the value for `region`.

For cross region authentication, `region` and `sts_region` can be set to different values.

### `debug_metrics`

The `debug_metrics` block configures the metrics that this component generates to monitor its state.

The following arguments are supported:

Expand table

| Name                               | Type      | Description                                          | Default | Required |
|------------------------------------|-----------|------------------------------------------------------|---------|----------|
| `disable_high_cardinality_metrics` | `boolean` | Whether to disable certain high cardinality metrics. | `true`  | no       |

`disable_high_cardinality_metrics` is the Alloy equivalent to the `telemetry.disableHighCardinalityMetrics` feature gate in the OpenTelemetry Collector. It removes attributes that could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.

> Note
> 
> If configured, `disable_high_cardinality_metrics` only applies to `otelcol.exporter.*` and `otelcol.receiver.*` components.

## Exported fields

The following fields are exported and can be referenced by other components:

Expand table

| Name      | Type                       | Description                                                     |
|-----------|----------------------------|-----------------------------------------------------------------|
| `handler` | `capsule(otelcol.Handler)` | A value that other components can use to authenticate requests. |

## Component health

`otelcol.auth.sigv4` is only reported as unhealthy if given an invalid configuration.

## Debug information

`otelcol.auth.sigv4` doesn’t expose any component-specific debug information.

## Examples

### Infer the “region” and “service” from an “aps-workspaces” exporter endpoint

In this example the exporter endpoint starts with `aps-workspaces`. `service` is inferred to be `aps` and `region` is inferred to be `us-east-1`.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-XXX/api/v1/remote_write"
    auth     = otelcol.auth.sigv4.creds.handler
  }
}

otelcol.auth.sigv4 "creds" {
}
```

### Infer the “region” and “service” from a “search-” exporter endpoint

In this example the exporter endpoint starts with `search-`. `service` is inferred to be `es` and `region` is inferred to be `us-east-1`.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "https://search-my-domain.us-east-1.es.amazonaws.com/_search?q=house"
    auth     = otelcol.auth.sigv4.creds.handler
  }
}

otelcol.auth.sigv4 "creds" {
}
```

### Specify “region” and “service” explicitly

In this example the exporter endpoint doesn’t begin with `search-` or with `aps-workspaces`. You must explicitly specify `region` and `service`.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.sigv4.creds.handler
  }
}

otelcol.auth.sigv4 "creds" {
    region = "example_region"
    service = "example_service"
}
```

### Specify “region” and “service” explicitly and adding a “role” to assume

In this example, the configuration assumes a role. `sts_region` hasn’t been provided, so it will default to the value of `region` which is `example_region`.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.sigv4.creds.handler
  }
}

otelcol.auth.sigv4 "creds" {
  region  = "example_region"
  service = "example_service"

  assume_role {
    session_name = "role_session_name"
  }
}
```