---
title: "GEL Configuration Reference | Grafana Enterprise Logs documentation"
description: "GEL Configuration reference Grafana Enterprise Logs can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file."
---

# GEL Configuration reference

Grafana Enterprise Logs can be configured using a YAML file - specified using the `-config.file` flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GEL component can be seen by visiting the `/config` HTTP path. Passwords are filtered out of this endpoint.

## Reference

To specify which configuration file to load, pass the `-config.file` flag at the command line. The file is written in [YAML format](https://en.wikipedia.org/wiki/YAML), defined by the scheme below. Brackets indicate that a parameter is optional. For Loki general configurations (ex: compactor, ingester configuration docs), see the [Loki Configuration Reference](/docs/enterprise-logs/latest/config/loki-config-reference/).

### Generic placeholders

- `<boolean>`: a boolean that can take the values `true` or `false`
- `<int>`: any integer matching the regular expression `[1-9]+[0-9]*`
- `<duration>`: a duration matching the regular expression `[0-9]+(ns|us|µs|ms|s|m|h|d|w|y)` where y = 365 days
- `<string>`: a regular string
- `<url>`: a URL
- `<prefix>`: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
- `<time>`: a timestamp, with available formats: `2006-01-20` (midnight, local timezone), `2006-01-20T15:04` (local timezone), and RFC 3339 formats: `2006-01-20T15:04:05Z` (UTC) or `2006-01-20T15:04:05+07:00` (explicit timezone)

### Use environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the `-config.expand-env` flag. To do this, use:

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
${VAR}
```

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```none
${VAR:default_value}
```

Where default\_value is the value to use if the environment variable is undefined.

### GEL specific supported contents and default values of the config file

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# The admin_api_config configures the admin API.
[admin_api: <admin_api_config>]

# The admin_client_config configures how the Admin API service connects to the
# storage backend.
[admin_client: <admin_client_config>]

# The auth_config configures the authentication type to use.
[auth: <auth_config>]

# The gateway_config configures the gateway proxy.
[gateway: <gateway_config>]

# The license_config configures the license validation module.
[license: <license_config>]

# The tokengen_config configures the tokengen target.
[tokengen: <tokengen_config>]

enterprise_limits:

enterprise_runtime_config:
  # How often to check runtime config files.
  # CLI flag: -enterprise-runtime-config.reload-period
  [period: <duration> | default = 10s]

  # Comma separated list of yaml files with the configuration that can be
  # updated at runtime. Runtime config files will be merged from left to right.
  # CLI flag: -enterprise-runtime-config.file
  [file: <string> | default = ""]

# Unique ID of this GEL cluster.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

usage_metrics:
  # Interval between purges of cardinality.
  # CLI flag: -usage-metrics.purge-period
  [purge_period: <duration> | default = 5m]
```

### admin\_api\_config

The `admin_api_config` configures the admin API.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = true]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -admin-api.leader-election.ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -admin-api.leader-election.ring.consul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -admin-api.leader-election.ring.etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -admin-api.leader-election.ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate, which will be used for authenticating
        # with the server. Also requires the key path to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key for the client certificate. Also requires the client
        # certificate to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates to validate server certificate against. If
        # not set, the host's root CA certificates are used.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas).
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -admin-api.leader-election.ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -admin-api.leader-election.ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [eth0]]

    # Port to advertize in the ring (defaults to server.grpc-listen-port).
    # CLI flag: -admin-api.leader-election.ring.instance-port
    [instance_port: <int> | default = 0]

    # IP address to advertize in the ring.
    # CLI flag: -admin-api.leader-election.ring.instance-addr
    [instance_addr: <string> | default = ""]

    # Enable using a IPv6 instance address.
    # CLI flag: -admin-api.leader-election.ring.instance-enable-ipv6
    [instance_enable_ipv6: <boolean> | default = false]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 104857600]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit rate limits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Initial stream window size. Values less than the default are not supported
    # and are ignored. Setting this to a value other than the default disables
    # the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-stream-window-size
    [initial_stream_window_size: <int> | default = 63KiB1023B]

    # Initial connection window size. Values less than the default are not
    # supported and are ignored. Setting this to a value other than the default
    # disables the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-connection-window-size
    [initial_connection_window_size: <int> | default = 63KiB1023B]

    # Enable TLS in the gRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -admin-api.leader-election.client.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -admin-api.leader-election.client.tls-min-version
    [tls_min_version: <string> | default = ""]

    # The maximum amount of time to establish a connection. A value of 0 means
    # default gRPC client connect timeout and backoff.
    # CLI flag: -admin-api.leader-election.client.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # Initial backoff delay after first connection failure. Only relevant if
    # ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-base-delay
    [connect_backoff_base_delay: <duration> | default = 1s]

    # Maximum backoff delay when establishing a connection. Only relevant if
    # ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-max-delay
    [connect_backoff_max_delay: <duration> | default = 5s]

    cluster_validation:
      # Primary cluster validation label.
      # CLI flag: -admin-api.leader-election.client.cluster-validation.label
      [label: <string> | default = ""]

limits:
  # Enable API-based limits per-tenant.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = false]

  # Refresh period for per-tenant limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]
```

### admin\_client\_config

The `admin_client_config` configures how the Admin API service connects to the storage backend.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
storage:
  # Enable caching on the versioned client.
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  cache:
    # Cache backend type. Supported values are: memcached, inmemory.
    # CLI flag: -admin.client.cache.backend
    [backend: <string> | default = "inmemory"]

    memcached:
      # Comma-separated list of memcached addresses. Each address can be an IP
      # address, hostname, or an entry specified in the DNS Service Discovery
      # format.
      # CLI flag: -admin.client.cache.memcached.addresses
      [addresses: <string> | default = ""]

      # The socket read/write timeout.
      # CLI flag: -admin.client.cache.memcached.timeout
      [timeout: <duration> | default = 200ms]

      # The connection timeout.
      # CLI flag: -admin.client.cache.memcached.connect-timeout
      [connect_timeout: <duration> | default = 200ms]

      # The minimum number of idle connections to keep open as a percentage
      # (0-100) of the number of recently used idle connections. If negative,
      # idle connections are kept open indefinitely.
      # CLI flag: -admin.client.cache.memcached.min-idle-connections-headroom-percentage
      [min_idle_connections_headroom_percentage: <float> | default = -1]

      # The maximum number of idle connections that will be maintained per
      # address.
      # CLI flag: -admin.client.cache.memcached.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -admin.client.cache.memcached.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -admin.client.cache.memcached.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 25000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -admin.client.cache.memcached.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum number of keys a single underlying get operation should run.
      # If more keys are specified, internally keys are split into multiple
      # batches and fetched concurrently, honoring the max concurrency. If set
      # to 0, the max batch size is unlimited.
      # CLI flag: -admin.client.cache.memcached.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 100]

      # The maximum size of an item stored in memcached, in bytes. Bigger items
      # are not stored. If set to 0, no maximum size is enforced.
      # CLI flag: -admin.client.cache.memcached.max-item-size
      [max_item_size: <int> | default = 1048576]

      # Enable connecting to Memcached with TLS.
      # CLI flag: -admin.client.cache.memcached.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.cache.memcached.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.cache.memcached.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.cache.memcached.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.cache.memcached.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -admin.client.cache.memcached.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -admin.client.cache.memcached.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -admin.client.cache.memcached.tls-min-version
      [tls_min_version: <string> | default = ""]

      # Allow client creation even if initial DNS resolution fails.
      # CLI flag: -admin.client.cache.memcached.dns-ignore-startup-failures
      [dns_ignore_startup_failures: <boolean> | default = true]

    # How long an item should be cached before being evicted. Only available for
    # remote cache (memcached), for inmemory it is capped at 1 minute.
    # CLI flag: -admin.client.cache.expiration
    [expiration: <duration> | default = 24h]

    # How frequently to reload tokens from storage to keep the cache warm.
    # Default disabled.
    # CLI flag: -admin.client.cache.refresh-interval
    [refresh_interval: <duration> | default = 0s]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # S3 session token
    # CLI flag: -admin.client.s3.session-token
    [session_token: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # Use a specific version of the S3 list object API. Supported values are v1
    # or v2. Default is unset.
    # CLI flag: -admin.client.s3.list-objects-version
    [list_objects_version: <string> | default = ""]

    # Bucket lookup style type, used to access bucket in S3-compatible service.
    # Default is auto. Supported values are: auto, path, virtual-hosted.
    # CLI flag: -admin.client.s3.bucket-lookup-type
    [bucket_lookup_type: <int> | default = auto]

    # When enabled, direct all AWS S3 requests to the dual-stack IPv4/IPv6
    # endpoint for the configured region.
    # CLI flag: -admin.client.s3.dualstack-enabled
    [dualstack_enabled: <boolean> | default = true]

    # The S3 storage class to use, not set by default. Details can be found at
    # https://aws.amazon.com/s3/storage-classes/. Supported values are:
    # STANDARD, REDUCED_REDUNDANCY, GLACIER, STANDARD_IA, ONEZONE_IA,
    # INTELLIGENT_TIERING, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW,
    # EXPRESS_ONEZONE, FSX_OPENZFS, FSX_ONTAP
    # CLI flag: -admin.client.s3.storage-class
    [storage_class: <string> | default = ""]

    # If enabled, it will use the default authentication methods of the AWS SDK
    # for go based on known environment variables and known AWS config files.
    # CLI flag: -admin.client.s3.native-aws-auth-enabled
    [native_aws_auth_enabled: <boolean> | default = false]

    # The minimum file size in bytes used for multipart uploads. If 0, the value
    # is optimally computed for each object.
    # CLI flag: -admin.client.s3.part-size
    [part_size: <int> | default = 0]

    # If enabled, a Content-MD5 header is sent with S3 Put Object requests.
    # Consumes more resources to compute the MD5, but may improve compatibility
    # with object storage services that do not support checksums.
    # CLI flag: -admin.client.s3.send-content-md5
    [send_content_md5: <boolean> | default = false]

    # Accessing S3 resources using temporary, secure credentials provided by AWS
    # Security Token Service.
    # CLI flag: -admin.client.s3.sts-endpoint
    [sts_endpoint: <string> | default = ""]

    # The maximum number of retries for S3 requests that are retryable. Default
    # is 10, set this to 1 to disable retries.
    # CLI flag: -admin.client.s3.max-retries
    [max_retries: <int> | default = 10]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -admin.client.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -admin.client.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -admin.client.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects via HTTPS and this option is enabled, the client
      # will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.s3.http.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.s3.http.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.s3.http.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.s3.http.tls-server-name
      [tls_server_name: <string> | default = ""]

    trace:
      # When enabled, low-level S3 HTTP operation information is logged at the
      # debug level.
      # CLI flag: -admin.client.s3.trace.enabled
      [enabled: <boolean> | default = false]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON either from a Google Developers Console client_credentials.json file,
    # or a Google Developers service account key. Needs to be valid JSON, not a
    # filesystem path.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

    # The maximum size of the buffer that GCS client for a single PUT request. 0
    # to disable buffering.
    # CLI flag: -admin.client.gcs.chunk-buffer-size
    [chunk_buffer_size: <int> | default = 0]

    # The maximum number of retries for idempotent operations. Overrides the
    # default gcs storage client behavior if this value is greater than 0. Set
    # this to 1 to disable retries.
    # CLI flag: -admin.client.gcs.max-retries
    [max_retries: <int> | default = 10]

  azure:
    # Azure storage account name
    # CLI flag: -admin.client.azure.account-name
    [account_name: <string> | default = ""]

    # Azure storage account key. If unset, Azure managed identities will be used
    # for authentication instead.
    # CLI flag: -admin.client.azure.account-key
    [account_key: <string> | default = ""]

    # If `connection-string` is set, the value of `endpoint-suffix` will not be
    # used. Use this method over `account-key` if you need to authenticate via a
    # SAS token. Or if you use the Azurite emulator.
    # CLI flag: -admin.client.azure.connection-string
    [connection_string: <string> | default = ""]

    # Azure storage container name
    # CLI flag: -admin.client.azure.container-name
    [container_name: <string> | default = ""]

    # Azure storage endpoint suffix without schema. The account name will be
    # prefixed to this value to create the FQDN. If set to empty string, default
    # endpoint suffix is used.
    # CLI flag: -admin.client.azure.endpoint-suffix
    [endpoint_suffix: <string> | default = ""]

    # Number of retries for recoverable errors
    # CLI flag: -admin.client.azure.max-retries
    [max_retries: <int> | default = 20]

    # User assigned managed identity. If empty, then System assigned identity is
    # used.
    # CLI flag: -admin.client.azure.user-assigned-id
    [user_assigned_id: <string> | default = ""]

    # Delimiter used to replace ':' in chunk IDs when storing chunks
    # CLI flag: -admin.client.azure.chunk-delimiter
    [chunk_delimiter: <string> | default = "-"]

  swift:
    # OpenStack Swift application credential id
    # CLI flag: -admin.client.swift.application-credential-id
    [application_credential_id: <string> | default = ""]

    # OpenStack Swift application credential name
    # CLI flag: -admin.client.swift.application-credential-name
    [application_credential_name: <string> | default = ""]

    # OpenStack Swift application credential secret
    # CLI flag: -admin.client.swift.application-credential-secret
    [application_credential_secret: <string> | default = ""]

    # OpenStack Swift authentication API version. 0 to autodetect.
    # CLI flag: -admin.client.swift.auth-version
    [auth_version: <int> | default = 0]

    # OpenStack Swift authentication URL
    # CLI flag: -admin.client.swift.auth-url
    [auth_url: <string> | default = ""]

    # OpenStack Swift username.
    # CLI flag: -admin.client.swift.username
    [username: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.user-domain-name
    [user_domain_name: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.user-domain-id
    [user_domain_id: <string> | default = ""]

    # OpenStack Swift user ID.
    # CLI flag: -admin.client.swift.user-id
    [user_id: <string> | default = ""]

    # OpenStack Swift API key.
    # CLI flag: -admin.client.swift.password
    [password: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.domain-id
    [domain_id: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.domain-name
    [domain_name: <string> | default = ""]

    # OpenStack Swift project ID (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-id
    [project_id: <string> | default = ""]

    # OpenStack Swift project name (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-name
    [project_name: <string> | default = ""]

    # ID of the OpenStack Swift project's domain (v3 auth only), only needed if
    # it differs the from user domain.
    # CLI flag: -admin.client.swift.project-domain-id
    [project_domain_id: <string> | default = ""]

    # Name of the OpenStack Swift project's domain (v3 auth only), only needed
    # if it differs from the user domain.
    # CLI flag: -admin.client.swift.project-domain-name
    [project_domain_name: <string> | default = ""]

    # OpenStack Swift Region to use (v2,v3 auth only).
    # CLI flag: -admin.client.swift.region-name
    [region_name: <string> | default = ""]

    # Name of the OpenStack Swift container to put chunks in.
    # CLI flag: -admin.client.swift.container-name
    [container_name: <string> | default = ""]

    # Max retries on requests error.
    # CLI flag: -admin.client.swift.max-retries
    [max_retries: <int> | default = 3]

    # Time after which a connection attempt is aborted.
    # CLI flag: -admin.client.swift.connect-timeout
    [connect_timeout: <duration> | default = 10s]

    # Time after which an idle request is aborted. The timeout watchdog is reset
    # each time some data is received, so the timeout triggers after X time no
    # data is received on a request.
    # CLI flag: -admin.client.swift.request-timeout
    [request_timeout: <duration> | default = 5s]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.swift.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.swift.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects via HTTPS and this option is enabled, the client
      # will accept any certificate and hostname.
      # CLI flag: -admin.client.swift.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.swift.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.swift.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.swift.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.swift.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.swift.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.swift.http.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.swift.http.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.swift.http.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.swift.http.tls-server-name
      [tls_server_name: <string> | default = ""]

  filesystem:
    # Local filesystem storage directory.
    # CLI flag: -admin.client.filesystem.dir
    [dir: <string> | default = ""]

  alibaba:
    # Endpoint to connect to.
    # CLI flag: -admin.client.oss.endpoint
    [endpoint: <string> | default = ""]

    # Name of OSS bucket.
    # CLI flag: -admin.client.oss.bucketname
    [bucket: <string> | default = ""]

    # alibabacloud Access Key ID
    # CLI flag: -admin.client.oss.access-key-id
    [access_key_id: <string> | default = ""]

    # alibabacloud Secret Access Key
    # CLI flag: -admin.client.oss.access-key-secret
    [access_key_secret: <string> | default = ""]

  bos:
    # Name of BOS bucket.
    # CLI flag: -admin.client.bos.bucket
    [bucket: <string> | default = ""]

    # BOS endpoint to connect to.
    # CLI flag: -admin.client.bos.endpoint
    [endpoint: <string> | default = ""]

    # Baidu Cloud Engine (BCE) Access Key ID.
    # CLI flag: -admin.client.bos.access-key
    [access_key: <string> | default = ""]

    # Baidu Cloud Engine (BCE) Secret Access Key.
    # CLI flag: -admin.client.bos.secret-key
    [secret_key: <string> | default = ""]

  # Prefix for all objects stored in the backend storage. For simplicity, it may
  # only contain digits, English alphabet letters and dashes.
  # CLI flag: -admin.client.storage-prefix
  [storage_prefix: <string> | default = ""]

  # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
  # filesystem, alibabacloud, bos, inmem.
  # CLI flag: -admin.client.backend
  [backend: <string> | default = ""]

  # Set a backend to use, (gcs, s3, azure). Deprecated, please use
  # '-admin.client.backend' instead.
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]
```

### auth\_config

The `auth_config` configures the authentication type to use.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "enterprise"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

# requires admin level auth for the /debug endpoints.
# CLI flag: -auth.required-for-debug
[required_for_debug: <boolean> | default = true]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # when set, the name of the used access policy will be passed to the backend
  # service as a header.
  # CLI flag: -auth.pass-access-policy-name
  [pass_access_policy_name: <boolean> | default = false]

  # when set, the name of the used token will be passed to the backend service
  # as a header.
  # CLI flag: -auth.pass-token-name
  [pass_token_name: <boolean> | default = false]

  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  cache_refresh:
    # Whether asynchronous background refreshes are enabled.
    # CLI flag: -auth.cache.refresh.enabled
    [enabled: <boolean> | default = false]

    # Number of workers for background asynchronous refresh.
    # CLI flag: -auth.cache.refresh.concurrency
    [concurrency: <int> | default = 2]

    # Maximum number of pending background refreshes.
    # CLI flag: -auth.cache.refresh.buffer
    [buffer: <int> | default = 256]

    # Remaining time to live of an item when background refreshes may begin to
    # occur.
    # CLI flag: -auth.cache.refresh.refresh-ttl
    [refresh_ttl: <duration> | default = 3m]

    # Minimum time distance between retries if a refresh attempt fails, 0 means
    # that every sub-sequent get operation will result in a retry.
    # CLI flag: -auth.cache.refresh.retry-interval
    [retry_interval: <duration> | default = 30s]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]
```

### gateway\_config

The `gateway_config` configures the gateway proxy.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.default.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.default.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.default.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.default.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.default.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.default.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.default.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.read-timeout
    [read_timeout: <duration> | default = 2m]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.admin-api.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.admin-api.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.admin-api.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.admin-api.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.admin-api.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.admin-api.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.admin-api.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.compactor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.compactor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.compactor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.compactor.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.compactor.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.compactor.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.compactor.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.distributor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.distributor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.distributor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.distributor.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.distributor.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.distributor.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.distributor.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ingester.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.ingester.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ingester.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.ingester.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.ingester.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.ingester.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.ingester.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.query-frontend.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.query-frontend.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.query-frontend.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.query-frontend.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.query-frontend.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.query-frontend.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

  ruler:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ruler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ruler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ruler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ruler.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ruler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.ruler.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ruler.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.ruler.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.ruler.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.ruler.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.ruler.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_scheduler:
    # URL for the backend. Use the scheme dns:// for HTTP over gRPC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-scheduler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-scheduler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-scheduler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.query-scheduler.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-scheduler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-scheduler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-scheduler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-scheduler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-scheduler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.query-scheduler.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.query-scheduler.tls-min-version
    [tls_min_version: <string> | default = ""]

    # gRPC load balancing policy. Supported values: round_robin, bounded_load.
    # CLI flag: -gateway.proxy.query-scheduler.grpc-load-balancing-policy
    [grpc_load_balancing_policy: <string> | default = "round_robin"]

    # When the gRPC load balancing policy is set to "bounded_load", the balancer
    # will attempt to not send to each backend a number of inflight requests
    # higher than the average inflight requests across all backends multiplied
    # by the overloaded factor.
    # CLI flag: -gateway.proxy.query-scheduler.grpc-load-balancing-overloaded-factor
    [grpc_load_balancing_overloaded_factor: <float> | default = 2]

    # gRPC client max receive message size (bytes).
    # CLI flag: -gateway.proxy.query-scheduler.grpc-max-recv-msg-size
    [grpc_max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -gateway.proxy.query-scheduler.grpc-max-send-msg-size
    [grpc_max_send_msg_size: <int> | default = 2147483647]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-scheduler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-scheduler.read-timeout
    [read_timeout: <duration> | default = 2m]
```

### license\_config

The `license_config` configures the license validation module.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]
```

### tokengen\_config

The `tokengen_config` configures the tokengen target.

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be written to a file at the provided path in
# addition to being logged. Note that if the file already exists, it will not be
# overwritten, and tokengen will fail with an error.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]
```