lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Prometheus

Prometheus Authorsmonitoring5 credentials

Credentials5 documented
01

Unauthenticated Web UI / HTTP API Access

prometheus / unauthenticated-default

Prometheus web UI and HTTP API historically do not require built-in authentication unless web configuration, TLS/basic auth, or a reverse proxy is configured. Metrics and query endpoints can be accessible without credentials.

no authsecretusername/password

Unauthenticated access

open default
no authentication required
username
none
password
none

Location

public interface
Prometheus web UI and HTTP API, commonly :9090

query, targets, service discovery, status, and admin endpoints when exposed without web auth/reverse proxy auth

config file
web.yml, prometheus startup flags, reverse proxy config

web config and reverse proxy settings determine whether browser/API users must authenticate

logs

Prometheus startup logs showing web listener and loaded web config

Notes

This represents no web/API login requirement, not a password. Impact depends on bind address, --web.enable-admin-api, reverse proxy configuration, firewalling, and whether web.yml basic auth/TLS is configured.

02

Scrape Basic Auth / Bearer Token

prometheus / scrape-basic-auth-and-bearer-token

Prometheus scrape configs support basic_auth, authorization credentials, bearer tokens, OAuth2, and service account token files for targets. These values often grant access to metrics endpoints or upstream APIs.

user definedgenerated on installsecretsecret value

Location

http header
Authorization

Basic or Bearer token sent to scrape targets, remote write endpoints, or APIs

config file
prometheus.yml, file_sd configs

scrape_configs basic_auth, authorization, bearer_token, bearer_token_file, and oauth2 settings

environment
PROMETHEUS_TOKEN, PROMETHEUS_PASSWORD
secret store

Kubernetes Secrets, mounted service account tokens, Vault, and CI/CD variables

source code

Helm values, Jsonnet, Kustomize, and monitoring repos

logs

Prometheus startup logs, config reload errors, and HTTP client debug traces

03

Remote Write / Alertmanager Credential

prometheus / remote-write-secret

Prometheus and Alertmanager integrations can contain credentials for remote_write, remote_read, Alertmanager, notification receivers, and long-term storage backends.

user definedsecretsecret value

Location

config file
prometheus.yml, alertmanager.yml

remote_write, remote_read, alertmanager, webhook, SMTP, Slack, PagerDuty, and storage credentials

secret store

Kubernetes Secrets, cloud secret managers, and monitoring vaults

source code

Helm values and monitoring configuration repositories

logs

remote write errors, notification logs, and config validation output

04

Prometheus Web UI Basic Auth / TLS Secret

prometheus / web-ui-basic-auth

Prometheus web endpoints can be protected with web config basic auth, TLS private keys, and reverse-proxy credentials.

user definedgenerated on installsecretusername/password

Location

public interface
Prometheus web UI, HTTP API, Alertmanager UI/API, and reverse proxies
config file
web.yml

basic_auth_users, TLS cert/key paths, and web server auth settings

secret store

Kubernetes Secrets, htpasswd stores, and certificate vaults

logs

web server access logs and authentication failures

05

Kubernetes Service Account Token

prometheus / kubernetes-service-account-token

Prometheus in Kubernetes often uses service account bearer tokens to discover and scrape pods, nodes, kubelets, and apiserver metrics.

generated on installsecrettoken

Looks like

pattern
pattern

JWT-style Kubernetes service account token used by Prometheus

eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

Location

config file
/var/run/secrets/kubernetes.io/serviceaccount/token

mounted service account token file referenced by Prometheus configs

secret store

Kubernetes service account token secrets and projected volumes

logs

scrape/debug logs if bearer tokens are printed

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.