{"id":13562595,"url":"https://github.com/bitsbeats/prometheus-acls","last_synced_at":"2026-04-04T14:51:41.265Z","repository":{"id":41415856,"uuid":"226877061","full_name":"bitsbeats/prometheus-acls","owner":"bitsbeats","description":"prometheus oauth acl reverse proxy","archived":false,"fork":false,"pushed_at":"2021-09-17T01:14:56.000Z","size":2256,"stargazers_count":38,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-03T18:42:14.339Z","etag":null,"topics":["acl","golang","grafana","oauth","oidc","prometheus"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitsbeats.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-09T13:23:55.000Z","updated_at":"2023-09-08T18:01:04.000Z","dependencies_parsed_at":"2022-08-28T13:21:10.069Z","dependency_job_id":null,"html_url":"https://github.com/bitsbeats/prometheus-acls","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/bitsbeats/prometheus-acls","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsbeats%2Fprometheus-acls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsbeats%2Fprometheus-acls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsbeats%2Fprometheus-acls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsbeats%2Fprometheus-acls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitsbeats","download_url":"https://codeload.github.com/bitsbeats/prometheus-acls/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsbeats%2Fprometheus-acls/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31403765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acl","golang","grafana","oauth","oidc","prometheus"],"created_at":"2024-08-01T13:01:10.241Z","updated_at":"2026-04-04T14:51:41.242Z","avatar_url":"https://github.com/bitsbeats.png","language":"Go","readme":"# prometheus-acls\n\n[![Build Status](https://cloud.drone.io/api/badges/bitsbeats/prometheus-acls/status.svg)](https://cloud.drone.io/bitsbeats/prometheus-acls)\n[![Docker Pulls](https://img.shields.io/docker/pulls/bitsbeats/prometheus-acls.svg?maxAge=604800)](https://hub.docker.com/r/bitsbeats/prometheus-acls)\n[![Go Report Card](https://goreportcard.com/badge/github.com/bitsbeats/prometheus-acls)](https://goreportcard.com/report/github.com/bitsbeats/prometheus-acls)\n\nA reverse proxy for prometheus that provides label based acls via oidc.\n\n## Prequisites\n\n* Running prometheus server\n* OpenID Connect server (i.e. Keycloak) with option to set custom fields in the Access Token\n* Grafana instance that authentificates with OpenID Connect\n\n## Configuration\n\n### Environment\n\nVia environment you can configure all settings.\n\n* `LISTEN`: IP and port to to listen on (default `:8080`)\n* `URL`: URL for prometheus-acls, used to generate redirects, login and callback routes (e.g. https://promacl.example.com)\n* `COOKIE_SECRET`: Cookie Secret (should be 32 or 64 chars), autogenerated if empty\n* `PROMETHEUS_URL`: URL to the upstream Prometheus (default http://localhost:9090)\n* `OIDC_ISSUER`: URL to the OpenID Connect Sever (e.g. https://auth.example.com/auth/realms/users)\n* `OIDC_CLIENT_ID`: Oauth Client ID (e.g. `grafana`)\n* `OIDC_CLIENT_SECRET`: Oauth Client Secret (e.g. `12345678-1234-1234-1234-123456789abc`)\n* `OIDC_ROLES_CLAIM`: Field in Acces Token to load the users role (default `roles`)\n* `ACL_FILE`: Full or relative path to acl configuration file (default `prometheus-acls.yml`)\n\n### `prometheus-acls.yml`:\n\nThe `prometheus-acls.yml` file is used to map roles to access rights.\n\n```yaml\n# syntax:\n#\n# \u003crolename\u003e:\n#   \u003cmetricname\u003e: \u003cprometheus label matches\u003e\n#   # or\n#   re!\u003cregex\u003e: \u003cprometheus label matches\u003e\n\ndeveloper:                # The keys match the OIDC_ROLES_CLAIM field of the access token.\n\n  re!^awesome_app_:       # regex match for all metrics that stat with awesome_app_\n    env=dev               # prometheus label match for dev env\n\n  re!^node_:              # regex match for node exporter\n    instance=~'.*\\.lan$'  # prometheus label match for instances that end with .lan\n\n  up: env!=dev,app=hal    # prometheus labels are handled by prometheus, so their complete\n                          # syntax is supported\n\nadmin:                    # The keys match the OIDC_ROLES_CLAIM field of the access token.\n\n  secret_app_:            # exact metric name\n    ~                     # yaml null value will bock access to a metric\n\n  '*':                    # wildchard match for all metrics\n    ''                    # emty prometheus label match for NO RESTRICTIONS\n```\n\nOrder of metric name matching:\n\n* Exact metric name\n* Regex metric name\n* Wildcard metric name\n* **Default** deny access\n\nBest Practices:\n\n* Metric regex matches should be started with `^`\n* Regex label matches are slower than exact matches\n\n### OIDC Provider\n\nExample for keycloak:\n\n* Create a new client with Access Type `confidential`\n* Go to the clients mappers and add a new one\n* Most mappers should work e.g `User Client Role`\n* Set `Token Claim Name` to `roles` (if you change this you also need to supply `$OIDC_ROLES_CLAIM` to prometheus-acls)\n* `Claim JSON Type` is `String`\n* `Add to access token` must be `on`\n* Configure both Grafana *and* prometheus-acls with the same settings OIDC settings\n\n**Note**: When you have multiple roles, the first one that is mentioned in `prometheus-acls` will be used.\nWe currently use per client roles to avoid any conflics.\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsbeats%2Fprometheus-acls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitsbeats%2Fprometheus-acls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsbeats%2Fprometheus-acls/lists"}