{"id":13521244,"url":"https://github.com/authzed/prom-authzed-proxy","last_synced_at":"2025-04-23T20:32:27.783Z","repository":{"id":39205398,"uuid":"395815743","full_name":"authzed/prom-authzed-proxy","owner":"authzed","description":"A Prometheus proxy that performs SpiceDB permission checks based on labels","archived":false,"fork":false,"pushed_at":"2024-07-01T13:56:19.000Z","size":423,"stargazers_count":37,"open_issues_count":4,"forks_count":4,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-20T10:04:58.295Z","etag":null,"topics":["authorization-proxy","authzed","metrics","monitoring","prometheus","proxy-server","spicedb"],"latest_commit_sha":null,"homepage":"https://authzed.com/blog/prom-authzed-proxy","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authzed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-08-13T22:32:11.000Z","updated_at":"2025-03-10T09:00:35.000Z","dependencies_parsed_at":"2023-10-05T05:38:10.633Z","dependency_job_id":null,"html_url":"https://github.com/authzed/prom-authzed-proxy","commit_stats":{"total_commits":49,"total_committers":5,"mean_commits":9.8,"dds":"0.36734693877551017","last_synced_commit":"b7feea158136dc28b0f31e03d44e8babc22efa34"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fprom-authzed-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fprom-authzed-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fprom-authzed-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fprom-authzed-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authzed","download_url":"https://codeload.github.com/authzed/prom-authzed-proxy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250509858,"owners_count":21442510,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization-proxy","authzed","metrics","monitoring","prometheus","proxy-server","spicedb"],"created_at":"2024-08-01T06:00:31.416Z","updated_at":"2025-04-23T20:32:26.676Z","avatar_url":"https://github.com/authzed.png","language":"Go","funding_links":[],"categories":["Go","Integrations"],"sub_categories":["Official Integrations"],"readme":"# prom-authzed-proxy\n\n[![Container Image](https://img.shields.io/github/v/release/authzed/prom-authzed-proxy?color=%232496ED\u0026label=container\u0026logo=docker \"Container Image\")](https://quay.io/repository/authzed/prom-authzed-proxy)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)\n[![Build Status](https://github.com/authzed/prom-authzed-proxy/workflows/Build%20\u0026%20Test/badge.svg)](https://github.com/authzed/prom-authzed-proxy/actions)\n[![Mailing List](https://img.shields.io/badge/email-google%20groups-4285F4)](https://groups.google.com/g/authzed-oss)\n[![Discord Server](https://img.shields.io/discord/844600078504951838?color=7289da\u0026logo=discord \"Discord Server\")](https://discord.gg/jTysUaxXzM)\n[![Twitter](https://img.shields.io/twitter/follow/authzed?color=%23179CF0\u0026logo=twitter\u0026style=flat-square)](https://twitter.com/authzed)\n\nprom-authzed-proxy is a proxy for [Prometheus] that authorizes the request's [Bearer Token] with [Authzed] or [SpiceDB] and enforces a label in a PromQL query.\n\n[SpiceDB] is a database system for managing security-critical permissions checking.\n\nSpiceDB acts as a centralized service that stores authorization data.\nOnce stored, data can be performantly queried to answer questions such as \"Does this user have access to this resource?\" and \"What are all the resources this user has access to?\".\n\n[Authzed] operates the globally available, serverless database platform for SpiceDB.\n\nSee [CONTRIBUTING.md] for instructions on how to contribute and perform common tasks like building the project and running tests.\n\n[Prometheus]: https://prometheus.io\n[prom-label-proxy]: https://github.com/prometheus-community/prom-label-proxy\n[Bearer Token]: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1\n[Authzed]: https://authzed.com\n[SpiceDB]: https://github.com/authzed/spicedb\n[CONTRIBUTING.md]: CONTRIBUTING.md\n\n## Basic Usage\n\n### Installation\n\nIf you're using a modern version of [Go], run the following command to install:\n\n```sh\ngo install github.com/authzed/prom-authzed-proxy/cmd/prom-authzed-proxy\n```\n\nIf you want a container of the proxy and have [docker] installed:\n\n```sh\ndocker pull authzed/prom-authzed-proxy:latest\n```\n\n[Go]: https://golang.org/dl/\n[docker]: https://www.docker.com/products/docker-desktop\n\n### Running against localhost\n\nThe following command will run the proxy that checks the permissions against [authzed.com] and a Prometheus running on localhost:\n\n```sh\nprom-authzed-proxy \\\n    --proxy-upstream-prometheus-addr http://localhost:9090 \\\n    --proxy-spicedb-token tc_client_token_1234deadbeef  \\\n    --proxy-check-resource-type metric \\\n    --proxy-check-resource-id-query-param install \\\n    --proxy-check-permission view\n    --proxy-check-subject-type token \\\n```\n\nEach request is checked to have a value as a [Bearer Token] that has the `view` permission for the resource specified in the PromQL label `install` with their respective types.\n\nIf the permission check fails, the proxy will return an HTTP 403.\n\n[authzed.com]: https://authzed.com\n[Bearer Token]: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1\n\n## Related Projects\n\n- [Prometheus] - industry standard time series database\n- [SpiceDB] - industry standard permissions database\n- [prom-label-proxy] - proxy that enforces labels in PromQL\n- [kube-rbac-proxy] - proxy that authorizes requests with Kubernetes cluster RBAC, sometimes used with prom-label-proxy\n\n[kube-rbac-proxy]: https://github.com/brancz/kube-rbac-proxy\n[SpiceDB]: https://github.com/authzed/spicedb\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fprom-authzed-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauthzed%2Fprom-authzed-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fprom-authzed-proxy/lists"}