Menu
General availability (GA) Open source Grafana Cloud

otelcol.auth.bearer

otelcol.auth.bearer exposes a handler that other otelcol components can use to authenticate requests using bearer token authentication.

This component supports both server and client authentication.

Note

otelcol.auth.bearer is a wrapper over the upstream OpenTelemetry Collector bearertokenauth extension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

You can specify multiple otelcol.auth.bearer components by giving them different labels.

Usage

alloy
otelcol.auth.bearer "<LABEL>" {
  token = "<TOKEN>"
}

Arguments

You can use the following arguments with otelcol.auth.bearer:

NameTypeDescriptionDefaultRequired
tokensecretBearer token to use for authenticating requests.yes
headerstringSpecifies the auth header name."Authorization"no
schemestringAuthentication scheme name."Bearer"no

When sending the token, the value of scheme is prepended to the token value. The string is then sent out as either a header for HTTP or as metadata for gRPC.

If you use a file to store the token, you can use local.file to retrieve the token value from the file.

Blocks

You can use the following block with otelcol.auth.bearer:

BlockDescriptionRequired
debug_metricsConfigures the metrics that this component generates to monitor its state.no

debug_metrics

The debug_metrics block configures the metrics that this component generates to monitor its state.

The following arguments are supported:

NameTypeDescriptionDefaultRequired
disable_high_cardinality_metricsbooleanWhether to disable certain high cardinality metrics.trueno

disable_high_cardinality_metrics is the Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector. It removes attributes that could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.

Note

If configured, disable_high_cardinality_metrics only applies to otelcol.exporter.* and otelcol.receiver.* components.

Exported fields

The following fields are exported and can be referenced by other components:

NameTypeDescription
handlercapsule(otelcol.Handler)A value that other components can use to authenticate requests.

Component health

otelcol.auth.bearer is only reported as unhealthy if given an invalid configuration.

Debug information

otelcol.auth.bearer doesn’t expose any component-specific debug information.

Examples

Default scheme via gRPC transport

The following example configures otelcol.exporter.otlp to use a bearer token authentication.

If you assume that the value of the API_KEY environment variable is SECRET_API_KEY, then the Authorization RPC metadata is set to Bearer SECRET_API_KEY.

alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.bearer.creds.handler
  }
}

otelcol.auth.bearer "creds" {
  token = sys.env("<API_KEY>")
}

Custom scheme via HTTP transport

The following example configures otelcol.exporter.otlphttp to use a bearer token authentication.

If you assume that the value of the API_KEY environment variable is SECRET_API_KEY, then the Authorization HTTP header is set to MyScheme SECRET_API_KEY.

alloy
otelcol.exporter.otlphttp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.bearer.creds.handler
  }
}

otelcol.auth.bearer "creds" {
  token = sys.env("<API_KEY>")
  scheme = "MyScheme"
}