Securing Prometheus API and UI endpoints using basic auth
Prometheus supports basic authentication (aka “basic auth”) for connections to the Prometheus expression browser and HTTP API.
NOTE: This tutorial covers basic auth connections to Prometheus instances. Basic auth is also supported for connections from Prometheus instances to scrape targets.
Hashing a password
Let’s say that you want to require a username and password from all users accessing the Prometheus instance. For this example, use admin
as the username and choose any password you’d like.
First, generate a bcrypt hash of the password. To generate a hashed password, we will use python3-bcrypt.
Let’s install it by running apt install python3-bcrypt
, assuming you are running a debian-like distribution. Other alternatives exist to generate hashed passwords; for testing you can also use bcrypt generators on the web.
Here is a python script which uses python3-bcrypt to prompt for a password and hash it:
import getpass
import bcrypt
password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())
Save that script as gen-pass.py
and run it:
$ python3 gen-pass.py
That should prompt you for a password:
password:
$2b$12$hNf2lSsxfm0.i4a.1kVpSOVyBCfIB51VRjgBUyv6kdnyTlgWj81Ay
In this example, I used “test” as password.
Save that password somewhere, we will use it in the next steps!
Creating web.yml
Let’s create a web.yml file (documentation), with the following content:
basic_auth_users:
admin: $2b$12$hNf2lSsxfm0.i4a.1kVpSOVyBCfIB51VRjgBUyv6kdnyTlgWj81Ay
You can validate that file with promtool check web-config web.yml
$ promtool check web-config web.yml
web.yml SUCCESS
You can add multiple users to the file.
Launching Prometheus
You can launch prometheus with the web configuration file as follows:
$ prometheus --web.config.file=web.yml
Testing
You can use cURL to interact with your setup. Try this request:
curl --head http://localhost:9090/graph
This will return a 401 Unauthorized
response because you’ve failed to supply a valid username and password.
To successfully access Prometheus endpoints using basic auth, for example the /metrics
endpoint, supply the proper username using the -u
flag and supply the password when prompted:
curl -u admin http://localhost:9090/metrics
Enter host password for user 'admin':
That should return Prometheus metrics output, which should look something like this:
# HELP go_gc_duration_seconds A summary of the GC invocation durations.
# TYPE go_gc_duration_seconds summary
go_gc_duration_seconds{quantile="0"} 0.0001343
go_gc_duration_seconds{quantile="0.25"} 0.0002032
go_gc_duration_seconds{quantile="0.5"} 0.0004485
...
Summary
In this guide, you stored a username and a hashed password in a web.yml
file, launched prometheus with the parameter required to use the credentials in that file to authenticate users accessing Prometheus’ HTTP endpoints.