It's pretty simple. You point password_file at a file containing the password; and you use Unix permissions to ensure that this file is readable only by the prometheus process (i.e. the userid that prometheus runs as).
If you are using Kubernetes, it has the ability to expose "secrets" at a specific path in the filesystem, so you could point to one of those. Certainly, if someone breaks into the system as 'root' or the prometheus user, they'll be able to read the secret. But that's pretty much a requirement, since the prometheus process itself needs to know the secret. On Sunday, 18 December 2022 at 13:56:12 UTC natach...@gmail.com wrote: > Hi Brian, > > Yes, that's what I meant. But I also have some concerns about > password_file, can you recommend some strategies I can study to use it > securely? > I've been trying to find it online for a few days before asking here, but > without success. > > On Saturday, December 17, 2022 at 6:53:03 AM UTC-3 Brian Candler wrote: > >> If you're talking about basic_auth in scrape jobs >> <https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config>, >> >> then use password_file instead of password. >> >> Otherwise, please clarify, or give an example of the embedded >> username+password config you're talking about. >> >> On Saturday, 17 December 2022 at 08:49:30 UTC natach...@gmail.com wrote: >> >>> Hey guys, >>> >>> I'm looking for some best practices advice for securing my prometheus >>> stack, because I don't wanna have username+password for my targets in my >>> prometheus.yml file >>> >>> I've looked for environment variables because this is one way that I >>> know of, and that turned out to be a huge discussion and a dead end. >>> >>> So what is you recommendation? What should I study/do ? >>> >>> Regards, >>> Nat >>> >> -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d415d9f1-1a1f-4c11-a2ac-7c1326db9f9cn%40googlegroups.com.
