Securing Prometheus API and UI endpoints using basic auth

Prometheus supports basic authentication (aka “basic auth”) for connections to the Prometheus expression browser and HTTP API.

NOTE: This tutorial covers basic auth connections to Prometheus instances. Basic auth is also supported for connections from Prometheus instances to scrape targets.

Hashing a password

Let’s say that you want to require a username and password from all users accessing the Prometheus instance. For this example, use admin as the username and choose any password you’d like.

First, generate a bcrypt hash of the password. To generate a hashed password, we will use python3-bcrypt.

Let’s install it by running apt install python3-bcrypt, assuming you are running a debian-like distribution. Other alternatives exist to generate hashed passwords; for testing you can also use bcrypt generators on the web.

Here is a python script which uses python3-bcrypt to prompt for a password and hash it:

  1. import getpass
  2. import bcrypt
  3. password = getpass.getpass("password: ")
  4. hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
  5. print(hashed_password.decode())

Save that script as gen-pass.py and run it:

  1. $ python3 gen-pass.py

That should prompt you for a password:

  1. password:
  2. $2b$12$hNf2lSsxfm0.i4a.1kVpSOVyBCfIB51VRjgBUyv6kdnyTlgWj81Ay

In this example, I used “test” as password.

Save that password somewhere, we will use it in the next steps!

Creating web.yml

Let’s create a web.yml file (documentation), with the following content:

  1. basic_auth_users:
  2. admin: $2b$12$hNf2lSsxfm0.i4a.1kVpSOVyBCfIB51VRjgBUyv6kdnyTlgWj81Ay

You can validate that file with promtool check web-config web.yml

  1. $ promtool check web-config web.yml
  2. web.yml SUCCESS

You can add multiple users to the file.

Launching Prometheus

You can launch prometheus with the web configuration file as follows:

  1. $ prometheus --web.config.file=web.yml

Testing

You can use cURL to interact with your setup. Try this request:

  1. curl --head http://localhost:9090/graph

This will return a 401 Unauthorized response because you’ve failed to supply a valid username and password.

To successfully access Prometheus endpoints using basic auth, for example the /metrics endpoint, supply the proper username using the -u flag and supply the password when prompted:

  1. curl -u admin http://localhost:9090/metrics
  2. Enter host password for user 'admin':

That should return Prometheus metrics output, which should look something like this:

  1. # HELP go_gc_duration_seconds A summary of the GC invocation durations.
  2. # TYPE go_gc_duration_seconds summary
  3. go_gc_duration_seconds{quantile="0"} 0.0001343
  4. go_gc_duration_seconds{quantile="0.25"} 0.0002032
  5. go_gc_duration_seconds{quantile="0.5"} 0.0004485
  6. ...

Summary

In this guide, you stored a username and a hashed password in a web.yml file, launched prometheus with the parameter required to use the credentials in that file to authenticate users accessing Prometheus’ HTTP endpoints.

This documentation is open-source. Please help improve it by filing issues or pull requests.