--- title: "Configure Loki query limit policies | Grafana Cloud documentation" description: "Configure query limit policies for Grafana Cloud Logs to control how users query your Loki data." --- # Configure Loki query limit policies > Note > > Loki query limit policies is currently in [public preview](/docs/release-life-cycle/). Grafana Labs offers limited support, and breaking changes might occur prior to the feature being made generally available. > Note > > This feature is disabled by default. Contact Grafana Support to enable query limit policies using the `lokiQueryLimitsContext` feature flag. Loki query limit policies provide fine-grained control over how users query your Grafana Cloud Logs data. You can configure these policies as attributes on [access policies](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/) to limit query result sizes. When a query exceeds a configured limit, users receive meaningful error messages that explain why the query was rejected and how to adjust it. ## How query limit policies work Query limit policies are applied as `lokiQueryPolicy` attributes on access policies. When a user makes a request using a token associated with an access policy that has query limits configured, Loki validates the entire time period of the query against those limits before execution. Query limit policies are not enforced for Loki managed or Grafana managed alerts. > Note > > Controls are applied per query, at a global level, not at a per user level. ### Use cases Use Loki query limit policies to: - Prevent expensive queries that could impact system stability - Control the volume of data returned by queries ## Available controls The following table describes the available query limit controls, their valid values, and the error messages users see when limits are exceeded. Expand table | Configuration key | Description | Valid values | Error message | |---------------------|--------------------------------------------|----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `maxQueryBytesRead` | Limits the amount of data a query can read | Byte size (for example, `200MB`) | `query too large to execute on a single querier: (query: %s, limit: %s); consider adding more specific stream selectors, reduce the time range of the query, or adjust parallelization settings` | ## Before you begin Before you configure query limit policies, ensure you have: - An API token with `accesspolicies:read` and `accesspolicies:write` scopes - The stack ID for your Grafana Cloud stack For more information about using the Grafana Cloud API, refer to the [Cloud API documentation](/docs/grafana-cloud/developer-resources/api-reference/cloud-api/). ### Create an API token with the required scopes To manage Loki query limit policies using the API, you need a token with permissions to read and write access policies. To create an API token with the required scopes: 01. Sign in to your Grafana Cloud account at [Grafana Cloud](/). 02. Select your organization from the dropdown at the top of the page. 03. In the left navigation menu, under **Security**, select **Access Policies**. 04. Click **Create access policy**. 05. Enter a **Display name** for the access policy (for example, `Manage Access Policies`). 06. From the **Realm** dropdown, select your organization or the specific stack you want to manage. 07. Under **Scopes**, select the following permissions: - **Access Policies: Read** (`accesspolicies:read`) - **Access Policies: Create and edit** (`accesspolicies:write`) If you don’t see these scopes, click **Add scope** and search for them. 08. Click **Create** to save the access policy. 09. On the access policy details page, click **Add token**. 10. Enter a **Display name** for the token. 11. Optionally, set an **Expiration date** for the token. 12. Click **Create**. 13. Copy the generated token and store it securely. > Warning > > The token is only displayed once. Copy and save it in a secure location, such as a password manager. For more information about creating access policies and tokens, refer to [Create access policies and tokens](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/create-access-policies/). ### Find your stack ID To find your Grafana Cloud stack ID: 1. Sign in to your Grafana Cloud account at [Grafana Cloud](/). 2. Select your organization from the menu at the top of the page. 3. In the left navigation menu, click **Stacks**. 4. Locate your stack and note the **ID** value displayed in the stack details. ## List access policies To view your current access policies and their query limit configurations, run the following command: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl --location "https://grafana.com/api/v1/accesspolicies?region=" \ --header "Authorization: Bearer $GRAFANA_TOKEN" \ --header "Accept: application/json" \ | jq ``` Replace `` with your Grafana Cloud region (for example, `us`, `eu`, or `au`). ## Create an access policy with Loki query limits To create a new access policy with Loki query limit controls: 1. Set your API token as an environment variable: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash export GRAFANA_TOKEN= ``` 2. Run the following command to create the access policy: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl --location --request POST 'https://grafana.com/api/v1/accesspolicies?region=' \ --header "Authorization: Bearer $GRAFANA_TOKEN" \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "my-access-policy", "displayName": "My Access Policy", "scopes": [ "logs:read" ], "realms": [{ "type": "stack", "identifier": "" }], "attributes": { "lokiQueryPolicy": { "maxQueryBytesRead": "500MB" } } }' ``` Replace: - `` with your Grafana Cloud region - `` with your stack identifier ## Modify a Loki query limit policy To update the query limits on an existing access policy: 1. Obtain the access policy ID from the list of access policies. 2. Run the following command to update the policy: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl --location --request POST 'https://grafana.com/api/v1/accesspolicies/?region=' \ --header "Authorization: Bearer $GRAFANA_TOKEN" \ --header 'Content-Type: application/json' \ --data-raw '{ "attributes": { "lokiQueryPolicy": { "maxQueryBytesRead": "1GB" } } }' ``` Replace: - `` with the ID of the access policy to update - `` with your Grafana Cloud region > Note > > Because policies are cached, it can take up to fifteen minutes for changes to become active. ## Remove a Loki query limit from an access policy To remove a specific query limit from an access policy, set the limit value to `null`: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl --location --request POST 'https://grafana.com/api/v1/accesspolicies/?region=' \ --header "Authorization: Bearer $GRAFANA_TOKEN" \ --header 'Content-Type: application/json' \ --data-raw '{ "attributes": { "lokiQueryPolicy": { "maxQueryBytesRead": null } } }' ``` This removes the `maxQueryBytesRead` limit while leaving other configured limits in place.