20

One of the targets in static_configs in my prometheus.yml config file is secured with basic authentication. As a result, an error of description "Connection refused" is always displayed against that target in the Prometheus Targets' page.

I have researched how to setup prometheus to provide the security credentials when trying to scrape that particular target but couldn't find any solution. What I found was how to set it up on the scrape_config section in the docs. This won't work for me because I have other targets that are not protected with basic_auth. Please help me out with this challenge.

Here is part of my .yml config as regards my challenge.

scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # Override the global default and scrape targets from this job every 5 seconds.
    scrape_interval: 5s
    scrape_timeout: 5s

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
      
      - targets: ['localhost:5000']
        labels: 
          service: 'Auth'
      - targets: ['localhost:5090']
        labels:
          service: 'Approval'
      - targets: ['localhost:6211']
        labels:
          service: 'Credit Assessment'
      - targets: ['localhost:6090']
        labels:
          service: 'Sweep'
      - targets: ['localhost:6500']
        labels:
Kacey Ezerioha
  • 1,068
  • 4
  • 22
  • 46

2 Answers2

38

In my case, I need to create another job (as specified), but basic_auth needs to be at the same level of indentation as job_name. See example here.

As well, my basic_auth cases require a path as they are not displayed at the root of my domain.

Here is an example with an API endpoint specified:

  - job_name: 'myapp_health_checks'
    scrape_interval: 5m
    scrape_timeout: 30s
    static_configs:
        - targets: ['mywebsite.org']
    metrics_path: "/api/health"
    basic_auth:
      username: 'email@username.me'
      password: 'cfgqvzjbhnwcomplicatedpasswordwjnqmd'
Westy92
  • 19,087
  • 4
  • 72
  • 54
François
  • 1,793
  • 14
  • 19
  • 3
    It is also possible to specify `password_file: valid_password_file` instead of a hard coded password for reference. – justin.m.chase Apr 14 '21 at 15:11
  • Hello justin, I suggest you to have a glance at this link: https://github.com/prometheus/prometheus/issues/2357#issuecomment-810876410 It seems like it will be possible to substitute env variables from Prometheus 2.27 on. I didn't test it tho. Best – François Apr 17 '21 at 13:12
-1

Create another job for the one that needs auth.
So just under what you've posted, do another

  - job_name: 'prometheus-basic_auth'
    scrape_interval: 5s
    scrape_timeout: 5s
    static_configs:
      
      - targets: ['localhost:5000']
        labels: 
          service: 'Auth'
        basic_auth:
          username: foo
          password: bar
PatientZro
  • 7
  • 1
  • I think this is not valid. Prometheus can't parse a config like this and fails with this error message: `level=error err="Error loading config couldn't load configuration (--config.file=/etc/prometheus/prometheus.yml): parsing YAML file /etc/prometheus/prometheus.yml: unknown fields in static_config: basic_auth"` – n2o Dec 21 '20 at 15:55
  • 2
    I believe the basic_auth section should be under job_name section, not targets – AsciiFace Apr 09 '21 at 20:24