Accessing loki Data Source using API Key or Service Account (original) (raw)

August 30, 2023, 12:13pm 1

• What Grafana version and what operating system are you using?

Grafana Cloud, using Grafana Agent installed on a Mac Client

• What are you trying to achieve?

Using logcli or the HTTP REST API to access the Loki logs datasource
This is being provisioned using the config.yml on the device
and uses basic auth to post log data to the cloud instance

• How are you trying to achieve it?

Currently Im able to add log read permissions to the API key along with granting datasource access to enable me to run queries on the log datasource. That works fine however Im well aware that giving a API client token read and write to a datasource is not best practice and is something I only want to do in testing.

• What happened?

This enables me to get direct access to the log data posted from clients.
Id like to be able to access the datasource using a secondary account so I can remove the extra permissions added to the token. I thought perhaps a service account would be the route but it only has access to the datasource config not the data source itself from what I can see.

• What did you expect to happen?

To be able to authenticate against the datasource itself using another API Key or a service account. Is that possible?

• Can you copy/paste the configuration(s) that you are having problems with?

This is how Im currently accessing the datasource using the api key generated when the datasource was created
curl --location ‘https://logs-prod-\*\*\*.grafana.net/loki/api/v1/query\_range’
–header ‘Authorization: Basic ******’
–data-urlencode ‘query={job=“userlogs”}’

• Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
• Did you follow any online instructions? If so, what is the URL?

itlicen August 31, 2023, 3:28pm 2

Ok so I figured this out. For anyone else

In the cloud Grafana you need to create a Cloud Access Policy

Give the new policy logs read permission

Create a token for that policy

Use that token as part of the Basic Authentication in the loki api calls. This is where I was coming unstuck.
It seems you cannot use Bearer Token to connect to the Loki Data Source created by Grafana Cloud. Instead you must use basic authorization using the username found in the loki datasource and the password will be that of the newly created token

vanya June 10, 2025, 2:36pm 3

I signed up to say thank you and to ask: how can it be this is not properly mentioned in the docs? I have struggled with this for a good half an hour. Grafana has a steep learning curve but it need not be. I suggest to create a tutorial: how to set up Grafana to ingest Docker container logs with Alloy.

For other this might be helpful:

1. Configure Authentication:

• Go to the Settings tab for the data source.
• In the Basic Auth section, enter the required credentials:
  • For services like Loki, use the log tenant ID as the User.
  • Enter the Grafana Cloud token as the Password.

Source: Using an access policy token | Grafana Cloud documentation