This has been discussed before. Anything you can use to obfuscate the password, in a way that prometheus itself could unobfuscate it at startup, would also be usable by an attacker who has root access to the system.
The best I can offer is to have the entire config file gpg-encrypted, decrypt it into a RAMdisk (an operator has to type the passphrase), start prometheus, and delete the ramdisk. This would have to be done every time you want to change the prometheus config. You can't store the passphrase anywhere *on* the system, because obviously, anyone who has root access to that system would also be able to access it. But you probably need to think a bit more about your threat model. If an untrusted user has root access to your prometheus server, then losing the basic auth credentials to scrape another node is probably the least of your worries. -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/65610ee8-9f8b-4857-b6f7-3e7f784e643f%40googlegroups.com.
