Skip to content


Switch branches/tags

Prometheus — Multi-tenant proxy

Build Status License: GPL v3

Twitter Join the chat at

This project aims to make it easy to deploy a Prometheus Server in a multi-tenant way.

This project has some reference from the prometheus label injector

The proxy enforces the namespace label in a given PromQL query while providing a basic auth layer.

What is it?

It is a simple golang proxy. It does basic auth, logs the requests, and serves as a Prometheus reverse proxy.

Actually, Prometheus does not check the auth of any request. By itself, it does not provide any multi-tenant mechanism. So, if you have untrusted tenants, you have to ensure a tenant uses its labels and does not use any other tenants' value.


To use this project, place the proxy in front of your Prometheus server instance, configure the auth proxy configuration and run it.

Run it

$ prometheus-multi-tenant-proxy run --prometheus-endpoint http://localhost:9090 --port 9091 --auth-config ./my-auth-config.yaml


  • --port: Port used to expose this proxy.
  • --prometheus-endpoint: URL of your Prometheus instance.
  • --auth-config: Authentication configuration file path.

Configure the proxy

The auth configuration is straightforward. Just create a YAML file my-auth-config.yaml with the following structure:

// Authn Contains a list of users
type Authn struct {
	Users []User `yaml:"users"`

// User Identifies a user including the tenant
type User struct {
	Username  string `yaml:"username"`
	Password  string `yaml:"password"`
	Namespace string `yaml:"namespace"`

An example is available at configs/multiple.user.yaml file:

  - username: User-a
    password: pass-a
    namespace: tenant-a
  - username: User-b
    password: pass-b
    namespace: tenant-b

A tenant can contain multiple users. But a user is tied to a simple tenant.

Build it

If you want to build it from this repository, follow the instructions bellow:

$ docker run -it --entrypoint /bin/bash --rm golang:1.15.8-buster
root@6985c5523ed0:/go# git clone
Cloning into 'prometheus-multi-tenant-proxy'...
remote: Enumerating objects: 96, done.
remote: Counting objects: 100% (96/96), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 96 (delta 31), reused 87 (delta 22), pack-reused 0
Unpacking objects: 100% (96/96), done.
root@6985c5523ed0:/go# cd prometheus-multi-tenant-proxy/cmd/prometheus-multi-tenant-proxy/
root@6985c5523ed0:/go# go build
go: downloading v2.3.0
go: downloading v0.3.0
go: downloading v1.8.2-0.20210811141203-dcb07e8eac34
go: downloading v2.4.0
go: downloading v0.0.0-20210201224146-3d78f4d30648
go: downloading v0.19.28
go: downloading v0.20.1
go: downloading v0.9.1
go: downloading v0.22.2
go: downloading v2.0.0
go: downloading v2.1.1
go: downloading v0.30.0
go: downloading v0.0.0-20200907205600-7a23bdc65eef
go: downloading v0.20.0
go: downloading v1.4.1
go: downloading v1.3.1
go: downloading v1.5.1
go: downloading v1.2.0
go: downloading v0.19.15
go: downloading v0.20.2
go: downloading v2.0.1
go: downloading v0.1.0
go: downloading v0.20.0
go: downloading v0.20.2
go: downloading v0.20.3
go: downloading v0.7.6
go: downloading v1.0.0
go: downloading v0.5.0
go: downloading v1.9.0
go: downloading v0.19.5
go: downloading v1.8.0
go: downloading v1.0.0
go: downloading v0.0.0-20210630005230-0f9fa26af87c
go: downloading v0.19.5
go: downloading v1.1.1
go: downloading v0.0.0-20170810143723-de5bf2ad4578
go: downloading v0.0.0-20210726213435-c6fcb2dbf985
go: downloading v0.3.6
root@6985c5523ed0:/go# ./prometheus-multi-tenant-proxy
   Prometheus multi-tenant proxy - Makes your Prometheus server multi tenant

   prometheus-multi-tenant-proxy [global options] command [command options] [arguments...]


   Angel Barrera <>
   Pau Rosello <>

   run      Runs the Prometheus multi-tenant proxy
   help, h  Shows a list of commands or help for one command

   --help, -h     show help (default: false)
   --version, -v  print the version (default: false)

Build the container image

If you want to build a container image with this proxy, run:

$ docker build -t prometheus-multi-tenant-proxy:local -f build/package/Dockerfile .

After built, just run it:

$ docker run --rm prometheus-multi-tenant-proxy:local

Using this project at work or in production?

See for what companies are doing with this project today.


The scripts and documentation in this project are released under the GNU GPLv3