If you have control on the version of systemd you can update and use the credentials module https://systemd.io/CREDENTIALS/
On Friday, January 6, 2023 at 7:06:34 PM UTC+1 [email protected] wrote: > Aaah, that is lovely. Thank you so much for pointing me in the right > direction. > > On Sunday, December 18, 2022 at 4:35:02 PM UTC-3 Brian Candler wrote: > >> It's pretty simple. You point password_file at a file containing the >> password; and you use Unix permissions to ensure that this file is readable >> only by the prometheus process (i.e. the userid that prometheus runs as). >> >> If you are using Kubernetes, it has the ability to expose "secrets" at a >> specific path in the filesystem, so you could point to one of those. >> >> Certainly, if someone breaks into the system as 'root' or the prometheus >> user, they'll be able to read the secret. But that's pretty much a >> requirement, since the prometheus process itself needs to know the secret. >> >> On Sunday, 18 December 2022 at 13:56:12 UTC [email protected] wrote: >> >>> Hi Brian, >>> >>> Yes, that's what I meant. But I also have some concerns about >>> password_file, can you recommend some strategies I can study to use it >>> securely? >>> I've been trying to find it online for a few days before asking here, >>> but without success. >>> >>> On Saturday, December 17, 2022 at 6:53:03 AM UTC-3 Brian Candler wrote: >>> >>>> If you're talking about basic_auth in scrape jobs >>>> <https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config>, >>>> >>>> then use password_file instead of password. >>>> >>>> Otherwise, please clarify, or give an example of the embedded >>>> username+password config you're talking about. >>>> >>>> On Saturday, 17 December 2022 at 08:49:30 UTC [email protected] >>>> wrote: >>>> >>>>> Hey guys, >>>>> >>>>> I'm looking for some best practices advice for securing my prometheus >>>>> stack, because I don't wanna have username+password for my targets in my >>>>> prometheus.yml file >>>>> >>>>> I've looked for environment variables because this is one way that I >>>>> know of, and that turned out to be a huge discussion and a dead end. >>>>> >>>>> So what is you recommendation? What should I study/do ? >>>>> >>>>> Regards, >>>>> Nat >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/bcdd0884-7820-486e-8fc3-12bb727ce053n%40googlegroups.com.
