Grafana Loki HTTP API > Custom authentication


I am writing a Java program to query logs through the Grafana Loki HTTP API.

All good so far, but since different users are supposed to use this program, I’m looking for a custom authentication method to ensure no one outside of our organisation gets access.

Currently the API token which is generated from Grafana Admin Panel is a Global one, and we cannot really rely just on this for the authentication of all different users.

What I am looking for is some kind of “personalised token” so that every user (even non-Admins) can create on their own and use.
Or any another method which you can think ensures that every user is properly authenticated when accessing Grafana Loki through the HTTP API.

Thank you very much for reading and assisting
Best regards,

I assume you are already configuring Loki with auth_enabled: true, which enables multi-tenant mode. And you probably already realize that Loki doesn’t actually do authentication (see Authentication | Grafana Loki documentation).

This is what we do in our environment. We have 7 organizations defined in Loki, and we create a set of API users for each of them (depending on use case, these can be for generic use from Grafana, or for log agents from organization AWS accounts). We have Nginx in front of both Loki read path and write path, and authentication happens on the Nginx server in the form of basic auth. And as the API users authenticate successfully the org header is then appended to the request before being forwarded to Loki. On Grafana we have similar set of organizations defined, and each of them has access to only their own organization in Loki through the API user, and with oauth and group mapping authorization is provided to end user. No one except the operators have access to Loki, they must go through Grafana, which enforces oauth + organizational separation.

If you need to provide direct access to Loki to end users as well, you can potentially configure nginx to use oauth (or whatever authentication mechanism you use), and map groups to org id header. I haven’t tried this before, but I think it would work.

I had a similar discussion with someone else a while ago, might be something useful in there as well: Roadmap - Loki in Multi user enviroment - #6 by christinevonschrott1