<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Access and permissions for Grafana Alloy on Grafana Labs</title><link>https://grafana.com/docs/alloy/v1.17/access_permissions/</link><description>Recent content in Access and permissions for Grafana Alloy on Grafana Labs</description><generator>Hugo -- gohugo.io</generator><language>en</language><atom:link href="/docs/alloy/v1.17/access_permissions/index.xml" rel="self" type="application/rss+xml"/><item><title>Access and permissions for Grafana Alloy on Linux</title><link>https://grafana.com/docs/alloy/v1.17/access_permissions/linux/</link><pubDate>Tue, 30 Jun 2026 15:02:01 +0000</pubDate><guid>https://grafana.com/docs/alloy/v1.17/access_permissions/linux/</guid><content><![CDATA[&lt;h1 id=&#34;access-and-permissions-for-grafana-alloy-on-linux&#34;&gt;Access and permissions for Grafana Alloy on Linux&lt;/h1&gt;
&lt;p&gt;Alloy requires read access to &lt;code&gt;/proc&lt;/code&gt;, &lt;code&gt;/sys&lt;/code&gt;, the systemd journal, application log files, and credentials for observability backends.
DEB and RPM packages for Alloy provide a dedicated &lt;code&gt;alloy&lt;/code&gt; user and systemd unit file.
Set filesystem permissions, systemd restrictions, and read access to match the components in your configuration.&lt;/p&gt;


&lt;div class=&#34;admonition admonition-note&#34;&gt;&lt;blockquote&gt;&lt;p class=&#34;title text-uppercase&#34;&gt;Note&lt;/p&gt;&lt;p&gt;If you installed from a binary instead of a package, create the &lt;code&gt;alloy&lt;/code&gt; user and systemd unit yourself.
Refer to &lt;a href=&#34;../../set-up/install/linux/&#34;&gt;Install Alloy on Linux&lt;/a&gt; for setup steps, and adapt paths to match your layout.&lt;/p&gt;&lt;/blockquote&gt;&lt;/div&gt;

&lt;h2 id=&#34;run-as-the-alloy-user&#34;&gt;Run as the &lt;code&gt;alloy&lt;/code&gt; user&lt;/h2&gt;
&lt;p&gt;Verify the service runs as the &lt;code&gt;alloy&lt;/code&gt; user:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;ps aux | grep alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The output should show &lt;code&gt;alloy&lt;/code&gt; in the user column, not &lt;code&gt;root&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;If the process runs as &lt;code&gt;root&lt;/code&gt;, check the &lt;code&gt;User=&lt;/code&gt; directive in the unit file:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;systemctl cat alloy | grep User&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The package sets &lt;code&gt;User=alloy&lt;/code&gt; but doesn&amp;rsquo;t set &lt;code&gt;Group=alloy&lt;/code&gt;.
If &lt;code&gt;User=alloy&lt;/code&gt; isn&amp;rsquo;t set, or you want to set the group explicitly, create a drop-in file.
Don&amp;rsquo;t edit the unit file directly.&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo systemctl edit alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Add this configuration:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;ini&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-ini&#34;&gt;[Service]
User=alloy
Group=alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Reload and restart the service:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo systemctl daemon-reload
sudo systemctl restart alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;h2 id=&#34;restrict-file-and-directory-permissions&#34;&gt;Restrict file and directory permissions&lt;/h2&gt;
&lt;p&gt;The &lt;code&gt;alloy&lt;/code&gt; user needs read access to the configuration file and read/write access to the data directory.
It shouldn&amp;rsquo;t have access to anything else.&lt;/p&gt;
&lt;p&gt;The package sets &lt;code&gt;/etc/alloy&lt;/code&gt; and &lt;code&gt;/var/lib/alloy&lt;/code&gt; to mode &lt;code&gt;770&lt;/code&gt; at install time when it creates those directories.
Use tighter permissions for production:&lt;/p&gt;
&lt;section class=&#34;expand-table-wrapper&#34;&gt;&lt;div class=&#34;button-div&#34;&gt;
      &lt;button class=&#34;expand-table-btn&#34;&gt;Expand table&lt;/button&gt;
    &lt;/div&gt;&lt;div class=&#34;responsive-table-wrapper&#34;&gt;
    &lt;table&gt;
      &lt;thead&gt;
          &lt;tr&gt;
              &lt;th&gt;Path&lt;/th&gt;
              &lt;th&gt;Owner&lt;/th&gt;
              &lt;th&gt;Permissions&lt;/th&gt;
              &lt;th&gt;Notes&lt;/th&gt;
          &lt;/tr&gt;
      &lt;/thead&gt;
      &lt;tbody&gt;
          &lt;tr&gt;
              &lt;td&gt;&lt;code&gt;/etc/alloy/config.alloy&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;root:alloy&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;640&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;Group-readable by &lt;code&gt;alloy&lt;/code&gt;, not world-readable&lt;/td&gt;
          &lt;/tr&gt;
          &lt;tr&gt;
              &lt;td&gt;&lt;code&gt;/etc/alloy/&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;root:alloy&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;750&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;alloy&lt;/code&gt; can read directory contents&lt;/td&gt;
          &lt;/tr&gt;
          &lt;tr&gt;
              &lt;td&gt;&lt;code&gt;/var/lib/alloy/&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;alloy:alloy&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;&lt;code&gt;750&lt;/code&gt;&lt;/td&gt;
              &lt;td&gt;Write-ahead log and data storage&lt;/td&gt;
          &lt;/tr&gt;
      &lt;/tbody&gt;
    &lt;/table&gt;
  &lt;/div&gt;
&lt;/section&gt;&lt;p&gt;Apply the permissions after installation:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo chown -R root:alloy /etc/alloy
sudo chmod 750 /etc/alloy
sudo chmod 640 /etc/alloy/config.alloy
sudo chown -R alloy:alloy /var/lib/alloy
sudo chmod 750 /var/lib/alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;If the configuration file contains credentials, confirm it isn&amp;rsquo;t world-readable:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;stat /etc/alloy/config.alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;h2 id=&#34;set-systemd-service-permissions&#34;&gt;Set systemd service permissions&lt;/h2&gt;
&lt;p&gt;The systemd unit in the package doesn&amp;rsquo;t include security directives by default.
Add them with a drop-in file so they survive package upgrades.
If you use eBPF components, for example &lt;a href=&#34;../../reference/components/beyla/beyla.ebpf/&#34;&gt;&lt;code&gt;beyla.ebpf&lt;/code&gt;&lt;/a&gt; or &lt;a href=&#34;../../reference/components/pyroscope/pyroscope.ebpf/&#34;&gt;&lt;code&gt;pyroscope.ebpf&lt;/code&gt;&lt;/a&gt;, check their component references before you set &lt;code&gt;NoNewPrivileges=yes&lt;/code&gt; or run as the &lt;code&gt;alloy&lt;/code&gt; user.&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo systemctl edit alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Add these directives:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;ini&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-ini&#34;&gt;[Service]
# Block new privileges from setuid or capabilities
NoNewPrivileges=yes

# Make the entire filesystem read-only except for explicitly allowed paths
ProtectSystem=strict

# Block access to /home, /root, and /run/user
ProtectHome=yes

# Give the service a private /tmp, isolated from other services
PrivateTmp=yes

# Block writes to kernel variables in /proc/sys and /sys
ProtectKernelTunables=yes

# Block kernel module loads
ProtectKernelModules=yes

# Block access to the kernel log
ProtectKernelLogs=yes

# Give the service its own network namespace if it only needs to reach specific hosts
# Remove this line if Alloy needs to listen on a host network interface
# PrivateNetwork=yes

# Allow write access to the data directory only
ReadWritePaths=/var/lib/alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Reload and restart the service:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo systemctl daemon-reload
sudo systemctl restart alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Confirm the service starts cleanly and review the logs for permission errors:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo journalctl -u alloy -n 50&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;h2 id=&#34;grant-access-to-the-systemd-journal&#34;&gt;Grant access to the systemd journal&lt;/h2&gt;
&lt;p&gt;If you use &lt;a href=&#34;../../reference/components/loki/loki.source.journal/&#34;&gt;&lt;code&gt;loki.source.journal&lt;/code&gt;&lt;/a&gt;, the &lt;code&gt;alloy&lt;/code&gt; user needs membership in the &lt;code&gt;adm&lt;/code&gt; and &lt;code&gt;systemd-journal&lt;/code&gt; groups.
The package installer adds the user to both groups when they exist on the system.
If you installed via binary or removed the user from either group, add them back:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo usermod -aG adm,systemd-journal alloy
sudo systemctl restart alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;When you use &lt;code&gt;ProtectSystem=strict&lt;/code&gt;, add journal paths to &lt;code&gt;ReadOnlyPaths&lt;/code&gt; in the systemd drop-in:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;ini&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-ini&#34;&gt;ReadOnlyPaths=/var/log/journal
ReadOnlyPaths=/run/log/journal&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;h2 id=&#34;grant-access-to-application-log-files&#34;&gt;Grant access to application log files&lt;/h2&gt;
&lt;p&gt;If you use &lt;a href=&#34;../../reference/components/loki/loki.source.file/&#34;&gt;&lt;code&gt;loki.source.file&lt;/code&gt;&lt;/a&gt; for log files owned by other users or services, grant read access with ACLs.
Don&amp;rsquo;t expand the &lt;code&gt;alloy&lt;/code&gt; user&amp;rsquo;s group membership to reach those files.&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;sudo setfacl -R -m u:alloy:rx /var/log/myapp
sudo setfacl -R -d -m u:alloy:rx /var/log/myapp&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The &lt;code&gt;-d&lt;/code&gt; flag sets a default ACL so new files in the directory inherit the permission.&lt;/p&gt;
&lt;h2 id=&#34;restrict-the-http-server&#34;&gt;Restrict the HTTP server&lt;/h2&gt;
&lt;p&gt;By default, Alloy binds its HTTP server to &lt;code&gt;127.0.0.1:12345&lt;/code&gt;.
Change the bind address only when you need to expose the UI or metrics endpoint to other machines.&lt;/p&gt;
&lt;p&gt;To expose &lt;code&gt;/metrics&lt;/code&gt; for Prometheus scrape while you keep the UI private, put a reverse proxy in front of Alloy and restrict access at the proxy.
Refer to the &lt;a href=&#34;../../reference/config-blocks/http/&#34;&gt;&lt;code&gt;http&lt;/code&gt; block&lt;/a&gt; for TLS and authentication options.&lt;/p&gt;
&lt;h2 id=&#34;next-steps&#34;&gt;Next steps&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;../../configure/linux/&#34;&gt;Configure Alloy on Linux&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;../../monitor/monitor-linux/&#34;&gt;Monitor Linux servers with Alloy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;../../collect/&#34;&gt;Collect and forward data&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
]]></content><description>&lt;h1 id="access-and-permissions-for-grafana-alloy-on-linux">Access and permissions for Grafana Alloy on Linux&lt;/h1>
&lt;p>Alloy requires read access to &lt;code>/proc&lt;/code>, &lt;code>/sys&lt;/code>, the systemd journal, application log files, and credentials for observability backends.
DEB and RPM packages for Alloy provide a dedicated &lt;code>alloy&lt;/code> user and systemd unit file.
Set filesystem permissions, systemd restrictions, and read access to match the components in your configuration.&lt;/p></description></item><item><title>Access and permissions for Grafana Alloy on Kubernetes</title><link>https://grafana.com/docs/alloy/v1.17/access_permissions/kubernetes/</link><pubDate>Tue, 30 Jun 2026 15:02:01 +0000</pubDate><guid>https://grafana.com/docs/alloy/v1.17/access_permissions/kubernetes/</guid><content><![CDATA[&lt;h1 id=&#34;access-and-permissions-for-grafana-alloy-on-kubernetes&#34;&gt;Access and permissions for Grafana Alloy on Kubernetes&lt;/h1&gt;
&lt;p&gt;Alloy requires read access to Kubernetes API resources, node and container telemetry, and credentials for observability backends.
The Alloy container image runs as &lt;code&gt;root&lt;/code&gt; by default and defines a non-root &lt;code&gt;alloy&lt;/code&gt; user with UID &lt;code&gt;473&lt;/code&gt; and GID &lt;code&gt;473&lt;/code&gt;.
Set &lt;code&gt;securityContext&lt;/code&gt;, RBAC, and network settings to match the components in your configuration.&lt;/p&gt;
&lt;p&gt;The &lt;a href=&#34;https://hub.docker.com/r/grafana/alloy&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Alloy Docker container image&lt;/a&gt; defines two users:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A &lt;code&gt;root&lt;/code&gt; user.&lt;/li&gt;
&lt;li&gt;A non-root user named &lt;code&gt;alloy&lt;/code&gt; with UID &lt;code&gt;473&lt;/code&gt; and GID &lt;code&gt;473&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;


&lt;div class=&#34;admonition admonition-note&#34;&gt;&lt;blockquote&gt;&lt;p class=&#34;title text-uppercase&#34;&gt;Note&lt;/p&gt;&lt;p&gt;Components like &lt;a href=&#34;../../reference/components/beyla/beyla.ebpf/&#34;&gt;beyla.ebpf&lt;/a&gt; and &lt;a href=&#34;../../reference/components/pyroscope/pyroscope.ebpf/&#34;&gt;pyroscope.ebpf&lt;/a&gt; need root or additional Linux capabilities.
Don&amp;rsquo;t set &lt;code&gt;capabilities.drop: [ALL]&lt;/code&gt; when these components are in your configuration.
Refer to the component references for required capabilities and Pod settings.&lt;/p&gt;&lt;/blockquote&gt;&lt;/div&gt;

&lt;h2 id=&#34;run-as-a-non-root-user&#34;&gt;Run as a non-root user&lt;/h2&gt;
&lt;p&gt;To run Alloy as a non-root user, configure a &lt;a href=&#34;https://kubernetes.io/docs/tasks/configure-pod-container/security-context/&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;security context&lt;/a&gt; for the Alloy container.
If you use the &lt;a href=&#34;../../configure/kubernetes/#configure-the-helm-chart&#34;&gt;Grafana Helm chart&lt;/a&gt;, add this to &lt;code&gt;values.yaml&lt;/code&gt;:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;YAML&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-yaml&#34;&gt;alloy:
  securityContext:
    runAsUser: 473
    runAsGroup: 473

global:
  podSecurityContext:
    fsGroup: 473

configReloader:
  securityContext:
    # this is the UID of the &amp;#34;nobody&amp;#34; user that the configReloader image runs as
    runAsUser: 65534
    runAsGroup: 65534&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This configuration runs the Alloy binary with UID &lt;code&gt;473&lt;/code&gt; and GID &lt;code&gt;473&lt;/code&gt; instead of as &lt;code&gt;root&lt;/code&gt;.
It also runs the &lt;code&gt;config reloader&lt;/code&gt; sidecar as UID &lt;code&gt;65534&lt;/code&gt; and GID &lt;code&gt;65534&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&#34;set-container-permissions&#34;&gt;Set container permissions&lt;/h2&gt;
&lt;p&gt;Set &lt;code&gt;securityContext&lt;/code&gt; at the Pod and container level to limit filesystem writes, privilege escalation, and Linux capabilities:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;YAML&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-yaml&#34;&gt;spec:
  securityContext:
    runAsUser: 473
    runAsGroup: 473
    fsGroup: 473
    runAsNonRoot: true
  containers:
    - name: alloy
      securityContext:
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;runAsNonRoot: true&lt;/code&gt; causes Kubernetes to reject the Pod if the image tries to run as root.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;readOnlyRootFilesystem: true&lt;/code&gt; blocks writes to the container filesystem except on mounted volumes.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;allowPrivilegeEscalation: false&lt;/code&gt; blocks privilege escalation beyond the parent process, regardless of file capabilities or &lt;code&gt;setuid&lt;/code&gt; bits.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;capabilities.drop: [ALL]&lt;/code&gt; removes all Linux capabilities from the container.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When you set &lt;code&gt;readOnlyRootFilesystem: true&lt;/code&gt;, mount a writable volume at that path or change &lt;code&gt;alloy.storagePath&lt;/code&gt; to a mounted volume.&lt;/p&gt;


&lt;div class=&#34;admonition admonition-note&#34;&gt;&lt;blockquote&gt;&lt;p class=&#34;title text-uppercase&#34;&gt;Note&lt;/p&gt;&lt;p&gt;If you use components that need elevated host access, for example &lt;a href=&#34;../../reference/components/beyla/beyla.ebpf/&#34;&gt;&lt;code&gt;beyla.ebpf&lt;/code&gt;&lt;/a&gt; or &lt;a href=&#34;../../reference/components/pyroscope/pyroscope.ebpf/&#34;&gt;&lt;code&gt;pyroscope.ebpf&lt;/code&gt;&lt;/a&gt;, add the capabilities those components need.
Don&amp;rsquo;t drop all capabilities when these components are in your configuration.
Refer to the component references for required capabilities and volume mounts.&lt;/p&gt;&lt;/blockquote&gt;&lt;/div&gt;

&lt;h2 id=&#34;restrict-the-http-server&#34;&gt;Restrict the HTTP server&lt;/h2&gt;
&lt;p&gt;The Grafana Helm chart sets &lt;code&gt;alloy.listenAddr&lt;/code&gt; to &lt;code&gt;0.0.0.0&lt;/code&gt; by default so other Pods can reach the container on port &lt;code&gt;12345&lt;/code&gt;.
Set &lt;code&gt;alloy.listenAddr&lt;/code&gt; to &lt;code&gt;127.0.0.1&lt;/code&gt; in &lt;code&gt;values.yaml&lt;/code&gt; or restrict access with a NetworkPolicy when you don&amp;rsquo;t need cross-Pod access to the UI or &lt;code&gt;/metrics&lt;/code&gt; endpoint.
The container image uses the binary default of &lt;code&gt;127.0.0.1:12345&lt;/code&gt; when you don&amp;rsquo;t pass &lt;code&gt;--server.http.listen-addr&lt;/code&gt;.
Refer to the &lt;a href=&#34;../../reference/config-blocks/http/&#34;&gt;&lt;code&gt;http&lt;/code&gt; block&lt;/a&gt; for TLS and authentication options.&lt;/p&gt;
&lt;h2 id=&#34;kubernetes-rbac&#34;&gt;Kubernetes RBAC&lt;/h2&gt;
&lt;p&gt;Alloy needs RBAC permissions to interact with Kubernetes APIs.
The Helm chart creates a &lt;code&gt;ClusterRole&lt;/code&gt; and &lt;code&gt;ClusterRoleBinding&lt;/code&gt; when &lt;code&gt;rbac.create&lt;/code&gt; is &lt;code&gt;true&lt;/code&gt;.
The Helm chart sets &lt;code&gt;rbac.rules&lt;/code&gt; and &lt;code&gt;rbac.clusterRules&lt;/code&gt; in &lt;code&gt;values.yaml&lt;/code&gt;.
Refer to the &lt;a href=&#34;../../configure/kubernetes/#configure-the-helm-chart&#34;&gt;Grafana Helm chart&lt;/a&gt; &lt;code&gt;values.yaml&lt;/code&gt; or README for the default rule blocks and the components each one supports.&lt;/p&gt;
&lt;p&gt;To limit permissions, set &lt;code&gt;rbac.rules&lt;/code&gt; and &lt;code&gt;rbac.clusterRules&lt;/code&gt; to only the rule blocks your configuration uses.
Helm replaces each array in full, so copy the defaults and remove the blocks you don&amp;rsquo;t need.
Set &lt;code&gt;rbac.create&lt;/code&gt; to &lt;code&gt;false&lt;/code&gt; if you manage RBAC outside the chart.&lt;/p&gt;
&lt;p&gt;Review the RBAC resources the Helm chart creates:&lt;/p&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;shell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-shell&#34;&gt;helm template alloy grafana/alloy --show-only templates/rbac.yaml&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;h2 id=&#34;next-steps&#34;&gt;Next steps&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;../../configure/kubernetes/&#34;&gt;Configure Alloy on Kubernetes&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;../../monitor/monitor-kubernetes-logs/&#34;&gt;Monitor Kubernetes logs with Alloy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;../../collect/&#34;&gt;Collect and forward data&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
]]></content><description>&lt;h1 id="access-and-permissions-for-grafana-alloy-on-kubernetes">Access and permissions for Grafana Alloy on Kubernetes&lt;/h1>
&lt;p>Alloy requires read access to Kubernetes API resources, node and container telemetry, and credentials for observability backends.
The Alloy container image runs as &lt;code>root&lt;/code> by default and defines a non-root &lt;code>alloy&lt;/code> user with UID &lt;code>473&lt;/code> and GID &lt;code>473&lt;/code>.
Set &lt;code>securityContext&lt;/code>, RBAC, and network settings to match the components in your configuration.&lt;/p></description></item><item><title>Access and permissions for Grafana Alloy on Windows</title><link>https://grafana.com/docs/alloy/v1.17/access_permissions/windows/</link><pubDate>Tue, 30 Jun 2026 15:02:01 +0000</pubDate><guid>https://grafana.com/docs/alloy/v1.17/access_permissions/windows/</guid><content><![CDATA[&lt;h1 id=&#34;access-and-permissions-for-grafana-alloy-on-windows&#34;&gt;Access and permissions for Grafana Alloy on Windows&lt;/h1&gt;
&lt;p&gt;Alloy requires read access to Windows Event Logs, performance counters, application log files, and credentials for observability backends.
The Windows installer registers the Alloy service to run as &lt;code&gt;LOCAL SYSTEM&lt;/code&gt;.
Set the service account, security group membership, and filesystem permissions to match the components in your configuration.&lt;/p&gt;
&lt;h2 id=&#34;run-as-a-dedicated-service-account&#34;&gt;Run as a dedicated service account&lt;/h2&gt;
&lt;p&gt;Create a dedicated Windows service account and assign it to the Alloy service.&lt;/p&gt;
&lt;h3 id=&#34;required-user-rights&#34;&gt;Required user rights&lt;/h3&gt;
&lt;p&gt;The service account needs the &lt;a href=&#34;https://learn.microsoft.com/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/log-on-as-a-service&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;&lt;code&gt;Log on as a service&lt;/code&gt;&lt;/a&gt; user right.
Windows requires this right for any account that runs a service.&lt;/p&gt;
&lt;p&gt;Assign the right in the Local Security Policy editor at &lt;code&gt;secpol.msc&lt;/code&gt; under &lt;strong&gt;Security Settings &amp;gt; Local Policies &amp;gt; User Rights Assignment&lt;/strong&gt;.&lt;/p&gt;
&lt;h3 id=&#34;assign-the-service-account&#34;&gt;Assign the service account&lt;/h3&gt;
&lt;p&gt;Stop the service, assign the account, and start the service again.&lt;/p&gt;
&lt;p&gt;Run these commands in an elevated Command Prompt or PowerShell session:&lt;/p&gt;



  

  


&lt;div data-element=&#34;tabs&#34;&gt;
  &lt;div data-element=&#34;tabs-bar&#34;&gt;
    
      &lt;div data-element=&#34;tab&#34; data-key=&#34;0&#34; data-label=&#34;cmd&#34;&gt;cmd&lt;/div&gt;
    
      &lt;div data-element=&#34;tab&#34; data-key=&#34;1&#34; data-label=&#34;powershell&#34;&gt;powershell&lt;/div&gt;
    
  &lt;/div&gt;
  &lt;div data-element=&#34;tab-content&#34;&gt;
    
&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;cmd&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-cmd&#34;&gt;sc stop Alloy
sc config Alloy obj= &amp;#34;DOMAIN\username&amp;#34; password= &amp;#34;password&amp;#34;
sc start Alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;div class=&#34;code-snippet &#34;&gt;&lt;div class=&#34;lang-toolbar&#34;&gt;
    &lt;span class=&#34;lang-toolbar__item lang-toolbar__item-active&#34;&gt;powershell&lt;/span&gt;
    &lt;span class=&#34;code-clipboard&#34;&gt;
      &lt;button x-data=&#34;app_code_snippet()&#34; x-init=&#34;init()&#34; @click=&#34;copy()&#34;&gt;
        &lt;img class=&#34;code-clipboard__icon&#34; src=&#34;/media/images/icons/icon-copy-small-2.svg&#34; alt=&#34;Copy code to clipboard&#34; width=&#34;14&#34; height=&#34;13&#34;&gt;
        &lt;span&gt;Copy&lt;/span&gt;
      &lt;/button&gt;
    &lt;/span&gt;
    &lt;div class=&#34;lang-toolbar__border&#34;&gt;&lt;/div&gt;
  &lt;/div&gt;&lt;div class=&#34;code-snippet &#34;&gt;
    &lt;pre data-expanded=&#34;false&#34;&gt;&lt;code class=&#34;language-powershell&#34;&gt;Stop-Service Alloy
sc.exe config Alloy obj= &amp;#34;DOMAIN\username&amp;#34; password= &amp;#34;password&amp;#34;
Start-Service Alloy&lt;/code&gt;&lt;/pre&gt;
  &lt;/div&gt;
&lt;/div&gt;

  &lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Replace &lt;code&gt;DOMAIN\username&lt;/code&gt; and &lt;code&gt;password&lt;/code&gt; with the service account credentials.
For a local account, use &lt;code&gt;COMPUTERNAME\username&lt;/code&gt; or &lt;code&gt;.\username&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;You can also open &lt;strong&gt;Services&lt;/strong&gt; (&lt;code&gt;services.msc&lt;/code&gt;), open &lt;strong&gt;Grafana Alloy&lt;/strong&gt; properties, select the &lt;strong&gt;Log On&lt;/strong&gt; tab, and choose &lt;strong&gt;This account&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;If you haven&amp;rsquo;t installed Alloy yet, you can set the service account during a silent install with &lt;code&gt;/USERNAME&lt;/code&gt; and &lt;code&gt;/PASSWORD&lt;/code&gt;.
Refer to &lt;a href=&#34;../../set-up/install/windows/&#34;&gt;Install Alloy on Windows&lt;/a&gt; for those options.&lt;/p&gt;
&lt;h2 id=&#34;windows-security-groups&#34;&gt;Windows security groups&lt;/h2&gt;
&lt;p&gt;Add the service account to &lt;a href=&#34;https://learn.microsoft.com/windows-server/identity/ad-ds/manage/understand-security-groups&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Windows security groups&lt;/a&gt; based on what you collect:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href=&#34;https://learn.microsoft.com/windows-server/identity/ad-ds/manage/understand-security-groups#event-log-readers&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Event Log Readers&lt;/a&gt;&lt;/strong&gt;: Read Application, System, Security, and custom event logs.
Required for Windows Event Log collection.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href=&#34;https://learn.microsoft.com/windows-server/identity/ad-ds/manage/understand-security-groups#performance-monitor-users&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Performance Monitor Users&lt;/a&gt;&lt;/strong&gt;: Read performance counter data for CPU, memory, disk I/O, and network usage.
Required for Windows performance metrics.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href=&#34;https://learn.microsoft.com/windows-server/identity/ad-ds/manage/understand-security-groups#performance-log-users&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Performance Log Users&lt;/a&gt;&lt;/strong&gt;: Manage Data Collector Sets and performance counter logs.
Required for advanced or historical data collection.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;file-system-and-network-permissions&#34;&gt;File system and network permissions&lt;/h2&gt;
&lt;p&gt;Grant read, write, and modify permissions on &lt;code&gt;%PROGRAMDATA%\GrafanaLabs\Alloy\data&lt;/code&gt;, where Alloy stores its write-ahead log and runtime data.&lt;/p&gt;
&lt;p&gt;If Alloy reads application log files from disk, grant the service account read access to those files and their parent directories through &lt;a href=&#34;https://learn.microsoft.com/windows/win32/secauthz/access-control-lists&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Access Control Lists&lt;/a&gt; or a custom group.&lt;/p&gt;
&lt;p&gt;Alloy needs outbound network access to its telemetry endpoints, for example Prometheus remote write, Loki, and OTLP.
Allow outbound connections from the host on the ports your configuration uses.&lt;/p&gt;
&lt;p&gt;The service account may need read access to &lt;code&gt;HKEY_LOCAL_MACHINE\SOFTWARE\GrafanaLabs\Alloy&lt;/code&gt; to read &lt;a href=&#34;../../configure/windows/&#34;&gt;environment variables&lt;/a&gt; and &lt;a href=&#34;../../configure/windows/&#34;&gt;command-line arguments&lt;/a&gt;.
Refer to &lt;a href=&#34;https://learn.microsoft.com/windows/win32/sysinfo/registry-key-security-and-access-rights&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Registry key security and access rights&lt;/a&gt; for details.&lt;/p&gt;
&lt;p&gt;If you enable the Alloy UI, the service account needs &lt;a href=&#34;https://learn.microsoft.com/windows/security/operating-system-security/network-security/windows-firewall/rules&#34; target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;permission to listen&lt;/a&gt; on the configured port.
The default port is &lt;code&gt;12345&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Some components write temporary files in the system temp directories.
If you use the process or service collectors in the integrated Windows Exporter, the service account also needs permission to enumerate processes and services.&lt;/p&gt;
&lt;h2 id=&#34;restrict-the-http-server&#34;&gt;Restrict the HTTP server&lt;/h2&gt;
&lt;p&gt;By default, Alloy binds its HTTP server to &lt;code&gt;127.0.0.1:12345&lt;/code&gt;.
Expose the endpoint only when you need remote access to the UI or metrics, and add authentication or TLS when you do.
Refer to the &lt;a href=&#34;../../reference/config-blocks/http/&#34;&gt;&lt;code&gt;http&lt;/code&gt; block&lt;/a&gt; for configuration options.&lt;/p&gt;
&lt;h2 id=&#34;next-steps&#34;&gt;Next steps&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;../../configure/windows/&#34;&gt;Configure Alloy on Windows&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;../../monitor/monitor-windows/&#34;&gt;Monitor Windows with Alloy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;../../collect/&#34;&gt;Collect and forward data&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
]]></content><description>&lt;h1 id="access-and-permissions-for-grafana-alloy-on-windows">Access and permissions for Grafana Alloy on Windows&lt;/h1>
&lt;p>Alloy requires read access to Windows Event Logs, performance counters, application log files, and credentials for observability backends.
The Windows installer registers the Alloy service to run as &lt;code>LOCAL SYSTEM&lt;/code>.
Set the service account, security group membership, and filesystem permissions to match the components in your configuration.&lt;/p></description></item></channel></rss>