Skip to content

feat(vector): add token authentication to the gRPC source and sink#25671

Open
stigglor wants to merge 1 commit into
vectordotdev:masterfrom
stigglor:2017-vector-auth-website
Open

feat(vector): add token authentication to the gRPC source and sink#25671
stigglor wants to merge 1 commit into
vectordotdev:masterfrom
stigglor:2017-vector-auth-website

Conversation

@stigglor

@stigglor stigglor commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Adds an optional auth setting on both components, supporting the bearer, basic, and custom strategies via a new VectorAuthConfig type that reuses the existing HTTP auth header logic.

The sink sends the credentials on every request, including the health check. The source validates incoming requests with a tonic interceptor using a constant time comparison, and rejects mismatches with an Unauthenticated status. The standard gRPC health service stays open so liveness probes do not need credentials. The token is a normal config value, so it can come from a secrets backend with SECRET[...].

Vector configuration

How did you test this PR?

The bearer-token auth was verified at two levels. Automated: unit tests for the source covering a matching token auth_roundtrip, a missing token, and a wrong token, both rejected with Unauthenticated, plus a constant-time-compare test and an http test confirming VectorAuthConfig produces the right Authorization header for bearer/basic/custom.
End-to-end: a single live vector process wired as demo_logs → vector sink → vector source → console, where matching tokens delivered all 5 events to the console, and a mismatched token produced zero delivered events with the source returning Unauthenticated: "Valid authorization token required.", a failed healthcheck, and the request correctly dropped as non-retriable.

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

References

Closes #2017

@stigglor
feat(vector): add token authentication to the gRPC source and sink
4a01bc9 
Adds an optional auth setting on both components, supporting the bearer,
basic, and custom strategies via a new VectorAuthConfig type that reuses
the existing HTTP auth header logic.

The sink sends the credentials on every request, including the health
check. The source validates incoming requests with a tonic interceptor
using a constant time comparison, and rejects mismatches with an
Unauthenticated status. The standard gRPC health service stays open so
liveness probes do not need credentials. The token is a normal config
value, so it can come from a secrets backend with SECRET[...].

Closes vectordotdev#2017
@stigglor stigglor requested review from a team as code owners June 24, 2026 05:27
@github-actions github-actions Bot added docs review on hold The documentation team reviews PRs only after a PR is approved by the COSE team. domain: sources Anything related to the Vector's sources domain: sinks Anything related to the Vector's sinks domain: external docs Anything related to Vector's external, public documentation and removed docs review on hold The documentation team reviews PRs only after a PR is approved by the COSE team. labels Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

domain: external docs Anything related to Vector's external, public documentation domain: sinks Anything related to the Vector's sinks domain: sources Anything related to the Vector's sources

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auth between Vectors

1 participant

@stigglor