passwords in config file

[Natacha Souza]

Hey guys,

I'm looking for some best practices advice for securing my prometheus stack, because I don't wanna have username+password for my targets in my prometheus.yml file

I've looked for environment variables because this is one way that I know of, and that turned out to be a huge discussion and a dead end. 

So what is you recommendation? What should I study/do ?

Regards,

Nat

[Brian Candler]

If you're talking about basic_auth in scrape jobs, then use password_file instead of password.

Otherwise, please clarify, or give an example of the embedded username+password config you're talking about.

[Natacha Souza]

Hi Brian,

Yes, that's what I meant. But I also have some concerns about password_file, can you recommend some strategies I can study to use it securely? 

I've been trying to find it online for a few days before asking here, but without success.

[Brian Candler]

It's pretty simple. You point password_file at a file containing the password; and you use Unix permissions to ensure that this file is readable only by the prometheus process (i.e. the userid that prometheus runs as).

If you are using Kubernetes, it has the ability to expose "secrets" at a specific path in the filesystem, so you could point to one of those.

Certainly, if someone breaks into the system as 'root' or the prometheus user, they'll be able to read the secret. But that's pretty much a requirement, since the prometheus process itself needs to know the secret.

[Natacha Souza]

Aaah, that is lovely. Thank you so much for pointing me in the right direction.

[sayf.eddi...@gmail.com]

If you have control on the version of systemd you can update and use the credentials module https://systemd.io/CREDENTIALS/