otelcol.auth.basic
otelcol.auth.basic exposes a handler that other otelcol components can use to authenticate requests using basic authentication.
This component supports both server and client authentication.
Note
otelcol.auth.basicis a wrapper over the upstream OpenTelemetry Collectorbasicauthextension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.
You can specify multiple otelcol.auth.basic components by giving them different labels.
Usage
otelcol.auth.basic "<LABEL>" {
username = "<USERNAME>"
password = "<PASSWORD>"
}Arguments
Caution
Don’t use the top-level
usernameandpasswordarguments for new configurations as they are deprecated. Use theclient_authblock for client authentication and thehtpasswdblock for server authentication instead.
You can use the following arguments with otelcol.auth.basic:
Blocks
You can use the following block with otelcol.auth.basic:
client_auth
The client_auth block configures credentials that client extensions (such as exporters) use to authenticate to servers.
Note
When you specify both the
client_authblock and the deprecated top-levelusernameandpasswordattributes, theclient_authblock takes precedence and Alloy ignores the top-level attributes for client authentication.
debug_metrics
The debug_metrics block configures the metrics that this component generates to monitor its state.
The following arguments are supported:
disable_high_cardinality_metrics is the Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector.
It removes attributes that could cause high cardinality metrics.
For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.
Note
If configured,
disable_high_cardinality_metricsonly applies tootelcol.exporter.*andotelcol.receiver.*components.
htpasswd
The htpasswd block configures how server extensions (such as receivers) authenticate incoming requests using the htpasswd format.
You can specify either file, inline, or both.
When you use inline, the format should be username:password with each user on a new line.
Note
When you specify both the
htpasswdblock and the deprecated top-levelusernameandpasswordattributes, Alloy automatically appends the deprecated credentials to theinlinecontent. This allows authentication using credentials from both thehtpasswdconfiguration and the deprecated attributes. If the same username appears in both thefileandinlinecontent, including appended deprecated credentials, the entry in theinlinecontent takes precedence.
Exported fields
The following fields are exported and can be referenced by other components:
Component health
otelcol.auth.basic is only reported as unhealthy if given an invalid configuration.
Debug information
otelcol.auth.basic doesn’t expose any component-specific debug information.
Examples
This section includes examples to help you configure basic authentication for exporters and receivers.
Forward signals to exporters
This example configures otelcol.exporter.otlp to use basic authentication:
otelcol.exporter.otlp "example" {
client {
endpoint = "my-otlp-grpc-server:4317"
auth = otelcol.auth.basic.creds.handler
}
}
otelcol.auth.basic "creds" {
username = "demo"
password = sys.env("API_KEY")
}Authenticating requests for receivers
These examples show how to perform basic authentication using the client_auth block for exporters or the htpasswd block for receivers.
Use client authentication
This example configures otelcol.exporter.otlp to use basic authentication with a single username and password combination:
otelcol.receiver.otlp "example" {
grpc {
endpoint = "127.0.0.1:4317"
}
output {
metrics = [otelcol.exporter.otlp.default.input]
logs = [otelcol.exporter.otlp.default.input]
traces = [otelcol.exporter.otlp.default.input]
}
}
otelcol.exporter.otlp "default" {
client {
endpoint = "my-otlp-grpc-server:4317"
auth = otelcol.auth.basic.creds.handler
}
}
otelcol.auth.basic "creds" {
client_auth {
username = "demo"
password = sys.env("API_KEY")
}
}Note
To migrate from the deprecated
usernameandpasswordattributes, move them into theclient_authblock for client authentication.
Use htpasswd file
This example configures otelcol.receiver.otlp to use basic authentication using an htpasswd file containing the users to use for basic authentication:
otelcol.receiver.otlp "example" {
grpc {
endpoint = "127.0.0.1:4317"
auth = otelcol.auth.basic.creds.handler
}
output {
metrics = [otelcol.exporter.debug.default.input]
logs = [otelcol.exporter.debug.default.input]
traces = [otelcol.exporter.debug.default.input]
}
}
otelcol.exporter.debug "default" {}
otelcol.auth.basic "creds" {
htpasswd {
file = "/etc/alloy/.htpasswd"
}
}Use htpasswd inline content
This example shows how to specify htpasswd content directly in the configuration:
otelcol.receiver.otlp "example" {
grpc {
endpoint = "127.0.0.1:4317"
auth = otelcol.auth.basic.creds.handler
}
output {
metrics = [otelcol.exporter.debug.default.input]
logs = [otelcol.exporter.debug.default.input]
traces = [otelcol.exporter.debug.default.input]
}
}
otelcol.exporter.debug "default" {}
otelcol.auth.basic "creds" {
htpasswd {
inline = "user1:password1\nuser2:password2"
}
}Note
To make the migration from the deprecated
usernameandpasswordattributes easier, you can specify both the deprecated attributes and thehtpasswdblock in the same configuration. Alloy appends the deprecated attributes to thehtpasswdcontent.otelcol.receiver.otlp "example" { grpc { endpoint = "127.0.0.1:4317" auth = otelcol.auth.basic.creds.handler } output { metrics = [otelcol.exporter.debug.default.input] logs = [otelcol.exporter.debug.default.input] traces = [otelcol.exporter.debug.default.input] } } otelcol.exporter.debug "default" {} otelcol.auth.basic "creds" { username = "demo" password = sys.env("API_KEY") htpasswd { file = "/etc/alloy/.htpasswd" } }