There is a problem in Grafana 13.0.1 when adding a new LOKI datasource with multi-tennancy. The configured header (Header:X-Scope-OrgID,Value:) is not transfered in the health query to LOKI. In consequence LOKI responds with a “forbidden” message.
Loki is configured on multi-tenancy, in grafana all parameters are correct. I tried to configure the datasource as well in the UI as provisioned, with the same result.
Connection and query from command line with curl are functionning.
In this issue the problem is that when Loki is running in multitenancy mode (auth_enabled: true), the X-Scope-OrgID header must be included
in every request including the health check. Grafana’s health check was not sending
this header, causing Loki to reject it.
Without X-Scope-OrgID header - health check fails
The fix is to add the header via secureJsonData in your datasource provisioning yaml
yaml
apiVersion: 1
datasources:
name: Loki
type: loki
access: proxy
url: “loki-gateway.grafana.svc.cluster.local”
editable: true
jsonData:
httpHeaderName1: X-Scope-OrgID secureJsonData:
httpHeaderValue1: your-tenant-id
tenant ID would be whatever your Loki tenant is named → for example production, team, org1 etc. It can be any alphanumeric string that matches what your Loki instance expects.
Using secureJsonData instead of jsonData for the header value ensures the token is encrypted and properly sent with all requests including health checks. This works in both UI configuration and provisioning yaml.The critical point is that httpHeaderValue1 must be under secureJsonData not jsonData. If you put it under jsonData it won’t be encrypted and may not be sent correctly with the health check request
thanks for the hints. I have made already the correct configuration (Header and Value). I tried it both ways provisioned and via UI. But the Header-Configuration is not transferred in the request path to loki, as shown bellow.
I use the Grafana Loki core datasource. In your logs example I saw that you are using the grafana-lokiexplore-app, maybe that made the difference.
Thank you for the detailed logs.
I tested this on Grafana 13.0.1 with the core Loki datasource and multi-tenancy enabled (auth_enabled: true). The X-Scope-OrgID header is correctly sent including in the health check — datasource connects successfully.
The key clue in your logs is that you’re getting Forbidden(403), not no org id (401). 401 “no org id” = header is missing 403 Forbidden = header is present but being rejected by something
This means the problem is not Grafana ->something between Grafana and Loki a reverse proxy, gateway, or nginx is blocking the X-Scope-OrgID header.
Test curl directly to Loki’s port bypassing any proxy->
curl -H X-Scope-OrgID: your-tenant “loki-ip:3100/loki/api/v1/query?query=vector(1)”
Make sure Grafana’s Loki URL points directly to Loki not through a proxy that may block custom headers.
Make sure you are setting the tenant ID correctly via HTTP Headers Header name: X-Scope-OrgID Header value: your-tenant-id (tenant1)
Check your provisioning YAML → make sure httpHeaderValue1 is under secureJsonData not jsonData
yaml
jsonData:
httpHeaderName1: X-Scope-OrgID
secureJsonData:
httpHeaderValue1: your-tenant-id
