black box exporter basic auth

[rightleftowizk]

hi, 

I am using basic auth in Prometheus black box exporter yml files. 

        basic_auth:

        username: username

        password: password123

Is there a way to avoid a clear text password, some way to hash it out, etc. please help. I am in a prod environment so I need to strictly avoid clear text passwords.

[Brian Candler]

This has been discussed before.

Anything you can use to obfuscate the password, in a way that prometheus itself could unobfuscate it at startup, would also be usable by an attacker who has root access to the system.

The best I can offer is to have the entire config file gpg-encrypted, decrypt it into a RAMdisk (an operator has to type the passphrase), start prometheus, and delete the ramdisk.  This would have to be done every time you want to change the prometheus config.

You can't store the passphrase anywhere *on* the system, because obviously, anyone who has root access to that system would also be able to access it.

But you probably need to think a bit more about your threat model.  If an untrusted user has root access to your prometheus server, then losing the basic auth credentials to scrape another node is probably the least of your worries.