How to add bearer token for prometheus job

Question

I have started working on the Prometheus for my microservices. I was able to achieve it initially. Now, it's time to push the actuator endpoint under the spring security. After adding the security actuator is expecting the bearer token from the Prometheus. So, how to configure the username and password in the Prometheus job so that Prometheus will get the bearer token from the login and add it as the 'Authorization' in the header for all the requests.

I'm running the Prometheus in the docker container using the commands below


 1. $ docker run --name prometheus -p 9090:9090 -v prometheus.yml:/etc/prometheus/prometheus.yml -d prom/prometheus
 2. $ docker run --name grafana -d -p 3000:3000 grafana/grafana

Following is the prometheus.yml file


# my global config
global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:

  # The job name is added as a label `job=<job_name>` to any time series scraped from this config.
  - job_name: 'prometheus'
    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.
    static_configs:
      - targets: ['127.0.0.1:9090']

  - job_name: 'NL-APPLICATION'
    metrics_path: '/actuator/prometheus'
    scrape_interval: 5s
    scheme: http
    static_configs:
      - targets: ['172.17.0.1:8085']

  - job_name: 'NL-ADMIN-API'
    metrics_path: '/actuator/prometheus'
    scrape_interval: 5s
    static_configs:
      - targets: ['172.17.0.1:8083']

How to Instruct Prometheus to do as follow

API call to '/login' get the Bearer token using username and password
Add the Bearer token as the 'Authorization' as a header in all actuator API call

When software (like Prometheus) is authenticating, you'll want to consider using a mechanism like OAuth (2-legged) or other means to generate a Bearer token that you can provide to Prometheus `scrape_configs` to authenticate. As @toerktumlare wrote, Prometheus doesn't support visiting a login URL to get a token. Rather Prometheus is expected to provide either a username|password in basic auth or a Bearer token. Both are possible with Spring Boot and, if you have the ability to control the endpoint, OAuth or other Bearer token generation are preferred. You'll want to use TLS too (not HTTP). — DazWilkin, Jun 05 '21 at 16:48
wait i did find this https://prometheus.io/docs/prometheus/latest/configuration/configuration/#oauth2 — Toerktumlare, Jun 05 '21 at 19:18
I am trying the same sort of thing with Keycloak, I get an error message about 'Realm does not exist. There is some developers documents at https://prometheus-operator.dev/docs/operator/api/#oauth2 Which provides the same type of information as the link that your provided. I am using version 2.33 — Dave, Feb 02 '22 at 16:13

score 2 · Answer 1 · edited Apr 26 '22 at 16:59

2

You can either specify as a file or add the token to the config

- job_name: 'test'
    metrics_path: "/metrics"
    scheme: "http"
    bearer_token_file: /var/run/secrets/    OR   bearer_token: token_here
    static_configs:
- targets: ['host.com']

edited Apr 26 '22 at 16:59

Tyler2P

2,324
26
22
31

answered Apr 26 '22 at 15:51

Alex Tejada

21
3

How to add bearer token for prometheus job

1 Answers1

Linked