How to configure alloy basic_auth section with encrypted password

Hi, I want to configure alloy client such that it sends logs to loki with authentication. I am trying to configure “basic_auth” in alloy config. I can configure with username/password configuration option. However I don’t want password to be in cleartext in the config file. I am seeking possible guidance on encrypting password in alloy configuration file. Thanks in advance.

Hello! You have multiple options:

Hi @paulintodev Thanks for quick response. I am running alloy inside docker container. I want to simply encrypt password (even if it is base64 encoded, I am okay). I am not using vault any anything similar. So I am left with one option i.e. local.file. Please guide further. Meanwhile I am trying to figure out how not to store password in clear text format, I will update. Thanks once again for sparing your valuable time.

Based on your direction, I tried searching perplexity & found below code which I am going to try:

# Import necessary libraries for Base64 encoding/decoding
import "encoding/base64"

# Define the local.file component to read the encrypted password
local.file "encrypted_password" {
  filename  = "/var/secrets/encrypted_password.txt"  # Path to the encrypted password file
  is_secret = true                                     # Mark as secret
}

# Function to decrypt the password using Base64 decoding
function decrypt_password(encrypted_content) {
  # Decode the Base64 encoded content
  return base64.decode(encrypted_content)
}

# Use the decrypted password in your application configuration
local.decrypted_password = decrypt_password(local.encrypted_password.content)

# Example usage of the decrypted password in a data source configuration
datasource "my_data_source" {
  type     = "mysql"                                  # Example data source type
  host     = "database.example.com"                   # Database host
  username = "my_user"                                # Database username
  password = local.decrypted_password                 # Use the decrypted password
}

as expected it failed. As next step I am trying to follow contents from below link:

First components and the standard library in Grafana Alloy | Grafana Alloy documentation → “An example pipeline” section.

I believe we can close this thread.

I used password_file option as local.file "encrypted_password" based configuration didn’t work for me. Closing this thread.