Prometheus
Prometheus Authorsmonitoring5 credentials
Unauthenticated Web UI / HTTP API Access
prometheus / unauthenticated-default
Prometheus web UI and HTTP API historically do not require built-in authentication unless web configuration, TLS/basic auth, or a reverse proxy is configured. Metrics and query endpoints can be accessible without credentials.
Unauthenticated access
open defaultno authentication required- username
- none
- password
- none
Location
Prometheus web UI and HTTP API, commonly :9090query, targets, service discovery, status, and admin endpoints when exposed without web auth/reverse proxy auth
web.yml, prometheus startup flags, reverse proxy configweb config and reverse proxy settings determine whether browser/API users must authenticate
Prometheus startup logs showing web listener and loaded web config
Notes
This represents no web/API login requirement, not a password. Impact depends on bind address, --web.enable-admin-api, reverse proxy configuration, firewalling, and whether web.yml basic auth/TLS is configured.
Scrape Basic Auth / Bearer Token
prometheus / scrape-basic-auth-and-bearer-token
Prometheus scrape configs support basic_auth, authorization credentials, bearer tokens, OAuth2, and service account token files for targets. These values often grant access to metrics endpoints or upstream APIs.
Location
AuthorizationBasic or Bearer token sent to scrape targets, remote write endpoints, or APIs
prometheus.yml, file_sd configsscrape_configs basic_auth, authorization, bearer_token, bearer_token_file, and oauth2 settings
PROMETHEUS_TOKEN, PROMETHEUS_PASSWORDKubernetes Secrets, mounted service account tokens, Vault, and CI/CD variables
Helm values, Jsonnet, Kustomize, and monitoring repos
Prometheus startup logs, config reload errors, and HTTP client debug traces
Remote Write / Alertmanager Credential
prometheus / remote-write-secret
Prometheus and Alertmanager integrations can contain credentials for remote_write, remote_read, Alertmanager, notification receivers, and long-term storage backends.
Location
prometheus.yml, alertmanager.ymlremote_write, remote_read, alertmanager, webhook, SMTP, Slack, PagerDuty, and storage credentials
Kubernetes Secrets, cloud secret managers, and monitoring vaults
Helm values and monitoring configuration repositories
remote write errors, notification logs, and config validation output
Prometheus Web UI Basic Auth / TLS Secret
prometheus / web-ui-basic-auth
Prometheus web endpoints can be protected with web config basic auth, TLS private keys, and reverse-proxy credentials.
Location
Prometheus web UI, HTTP API, Alertmanager UI/API, and reverse proxiesweb.ymlbasic_auth_users, TLS cert/key paths, and web server auth settings
Kubernetes Secrets, htpasswd stores, and certificate vaults
web server access logs and authentication failures
Kubernetes Service Account Token
prometheus / kubernetes-service-account-token
Prometheus in Kubernetes often uses service account bearer tokens to discover and scrape pods, nodes, kubelets, and apiserver metrics.
Looks like
patterneyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+Location
/var/run/secrets/kubernetes.io/serviceaccount/tokenmounted service account token file referenced by Prometheus configs
Kubernetes service account token secrets and projected volumes
scrape/debug logs if bearer tokens are printed
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.