Skip to content
Allow shared usage of a Prometheus instance with multiple users with each one only able to see their own metrics
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


PromAuthProxy is an Authentication-Proxy for the Prometheus Monitoring System.

It enables to use a single Prometheus-instance with multiple users, such that each user can query the Prometheus instance, but will only see their own metrics.

How it works

with Prometheus

PromAuthProxy is a proxy that sits before the Prometheus-intstance in question. To ensure that users only see their own metrics, PromAuthProxy takes a target label (by default the job-label), inspects the query that is submitted to the prometheus and ensures that every query includes the target label set to the value of the HTTP-Header (by default) X-prometheus-injectable, either by injecting it if not present or overwriting if specified differently. The X-Prometheus-injectable has to be set by a previous component, for example an nginx providing HTTP basic auth or any other component that is able to set such an HTTP-Header. The label used is freely choosable, but should of course be present in the time series (to be ensured via the prometheus-configuration).

In addition to this, when the label job is used for such multi-tenancy separation PromAuthProxy also filteres the target list as well as the alerts view as long as the alert names start with the injected job label (such as "username: CPUbusy").

with Alertmanager

Similar to the Prometheus-Setup, PromAuthProxy injects the target-label into every query and inspection of a silence, as well as into the generation of a new silence. This means that users can only see alerts with the target-label set to their username and no other and can only generate new silences with the according matcher included (actually users can generate a silence without and the matcher is injected by PromAuthProxy automatically). Therefore with PromAuthProxy before users should not be able to tell if other people are using the same alertmanager except for the names in the dropdown.

Building and running


# actually build and run
git clone
cd promauthproxy
go get ./...
go build promauthproxy.go

automatically using go-toolchain

go get -u ""

How to use it

PromAuthProxy is intended as a proxy between a Prometheus Server/Alertmanager and another proxy tasked with authenticating the user and injecting the required label into the HTTP-request (e.g. an nginx with HTTP basic auth in the most simple case).

commandline flag reference

  	Log with full details
  	Log with timestamps
-inject.label string
  	target label to inject or overwrite (default "job")
-inject.source string
  	HTTP header specifying label to-be-injected (default "X-prometheus-injectable")
-web.listen-address string
  	address exposed to outside (default ":8080")
-web.proxy-to string
  	address to proxy to (default "")


This works is released under the GNU General Public License v3. You can find a copy of this license in the file LICENSE or at


This is currently beta software. Until version 1.0 will be reached, backwards incompatible breaks might still occur, although they are avoided if possible. Especially the config format might still be subject to change.

You can’t perform that action at this time.