Documentation Grafana Cloud Instrument and send data Grafana Alloy Access and permissions

Access and permissions for Grafana Alloy

Grafana Alloy collects telemetry from hosts, containers, and APIs, then forwards it to observability backends. That telemetry collection requires read access to logs, process data, and cluster resources, plus credentials for remote write and similar endpoints. Your configuration determines which permissions Alloy needs, and your deployment platform determines how you enforce them.

The following settings are common permission options. Not every item applies to every configuration or platform. Use only what matches your components and environment.

1. When your components allow it, run Alloy as a non-root user on Linux, Kubernetes, or a dedicated service account on Windows.
2. If you don’t need remote access to the UI or /metrics, restrict the HTTP server to 127.0.0.1 or a private network address with the http block.
3. When you expose the HTTP server beyond localhost, enable TLS with the http block.
4. Use TLS for outbound connections. Refer to the component you’re configuring, for example prometheus.remote_write for remote write and otelcol.exporter.otlp for OTLP.
5. Avoid insecure_skip_verify = true in production. Refer to the TLS settings in the component reference, for example prometheus.remote_write.
6. Store credentials outside configuration files when you can. Refer to Types and values.
7. On Kubernetes, set RBAC to the permissions your configuration uses. Refer to Access and permissions on Kubernetes.
8. For container deployments, set readOnlyRootFilesystem: true when your volume mounts and components allow it. Refer to Access and permissions on Kubernetes.
9. For container deployments, set allowPrivilegeEscalation: false when your components don’t need privilege escalation. Refer to Access and permissions on Kubernetes.
10. Use a dedicated Alloy instance for components that require elevated access, for example beyla.ebpf and pyroscope.ebpf. Refer to each component reference for required capabilities and privileges.

Process identity and privilege

Create a dedicated service account or user on your deployment platform:

• Linux: systemd service, file permissions, and the alloy user
• Kubernetes: securityContext, non-root UID, and RBAC
• Windows: service accounts, Windows security groups, and filesystem ACLs

Network exposure

Alloy runs an HTTP server for its UI, API, and /metrics endpoint. The binary binds to 127.0.0.1:12345 by default, which limits exposure to the local machine. The Grafana Helm chart sets alloy.listenAddr to 0.0.0.0 by default so other Pods can reach the container on port 12345. Review what you expose before you change either default.

Secrets and credentials

You can load secrets at runtime through several patterns:

• sys.env() in configuration to reference environment variables
• remote.vault to load secrets from HashiCorp Vault
• Secrets from the cluster: remote.kubernetes.secret
• remote.s3 to load configuration or secrets from AWS S3

For secret-typed values at runtime and protection from exposure in the UI and component exports, refer to Types and values.