Use label-based access control with access policies
Label-based access control (LBAC) creates access policies that allow you to query only the metrics or logs data that meet specific label requirements. The feature allows you to associate multiple sets of Prometheus label selectors with a policy. As a result, queries only return data that match at least one of the provided selectors. This correlates to the disjunctive normal form, which allows you to express any required policy.
Label selectors for access policies can only be used with read permission for metrics and logs.
Label selectors can be configured using the Grafana Cloud Access Policies API or the plugin.
Set up a label selector policy
Label selectors are set when you create or modify an access policy.
- Click the Create access policy button.
- Fill in the Display name field with the access policy name.
- Select the
logs:read
and/ormetrics:read
scope. - Click the Add label selector button and add a label selector.
- Click the Create button.
Exclude a label
One common use case for creating a LBAC policy is to exclude logs or metrics that have a specific label. For example, you can create a label policy that excludes all log lines with the label secret=true
by adding a selector with secret!="true"
when you create an access policy:

Use multiple selectors
To create a policy that allows someone to access the production and development environments and excludes logs and/or metrics with the label secret=true
in the production environment, use multiple selectors.
{secret!="true", env="prod"}
and {env="dev"}
enforce the policy:
- The selector
{secret!="true", env="prod"}
matches and returns log and metrics lines from the production environment that do not have thesecret: true
label. - The selector
{env="dev"}
matches and returns log and metrics lines from the development environment, even if they have thesecret: true
label.
Related Grafana Cloud resources
Intro to Prometheus and Grafana Cloud
Prometheus is taking over the monitoring world! In this webinar, we will start with a quick introduction to the open source project that’s the de facto standard for monitoring modern, cloud native systems.
How to set up and visualize synthetic monitoring at scale with Grafana Cloud
Learn how to use Kubernetes, Grafana Loki, and Grafana Cloud’s synthetic monitoring feature to set up your infrastructure's checks in this GrafanaCONline session.
Using Grafana Cloud to drive manufacturing plant efficiency
This GrafanaCONline session tells how Grafana helps a 75-year-old manufacturing company with product quality and equipment maintenance.