Access tokens and policies

Before you can register a collector with Fleet Management, you need an access token. This is how the collector proves it’s allowed to connect to your Grafana Cloud account.

An access policy defines what permissions a token has: what it can read, what it can write, what services it can access. An access token is a credential generated from that policy. Think of it like a keycard—the policy says “this card opens the Fleet Management door,” and the token is the actual card you carry.

For Fleet Management, you’ll create an access policy with the “set:alloy-data-write” or “set:otel-data-write” scopes. These permissions let the collector register itself, report health data, and receive remote configurations. Then you’ll generate a token from that policy.

You’ll add this token to the remotecfg block in your configuration. When the collector starts, it uses the token to authenticate with Fleet Management and register itself in your inventory.

In the learning path, you’ll create this token and use it to register an Alloy collector. For now, just understand that access tokens are how collectors securely connect to Fleet Management.