prom-authzed-proxy is a proxy for Prometheus that authorizes the request's Bearer Token with Authzed or SpiceDB and enforces a label in a PromQL query.

SpiceDB is a database system for managing security-critical permissions checking.

SpiceDB acts as a centralized service that stores authorization data. Once stored, data can be performantly queried to answer questions such as "Does this user have access to this resource?" and "What are all the resources this user has access to?".

Authzed operates the globally available, serverless database platform for SpiceDB.

See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.

If you're using a modern version of Go, run the following command to install:

go install github.com/authzed/prom-authzed-proxy/cmd/prom-authzed-proxy

If you want a container of the proxy and have docker installed:

docker pull authzed/prom-authzed-proxy:latest

The following command will run the proxy that checks the permissions against authzed.com and a Prometheus running on localhost:

prom-authzed-proxy \
    --proxy-upstream-prometheus-addr http://localhost:9090 \
    --proxy-spicedb-token tc_client_token_1234deadbeef  \
    --proxy-check-resource-type metric \
    --proxy-check-resource-id-query-param install \
    --proxy-check-permission view
    --proxy-check-subject-type token \

Each request is checked to have a value as a Bearer Token that has the view permission for the resource specified in the PromQL label install with their respective types.

If the permission check fails, the proxy will return an HTTP 403.

• Prometheus - industry standard time series database
• SpiceDB - industry standard permissions database
• prom-label-proxy - proxy that enforces labels in PromQL
• kube-rbac-proxy - proxy that authorizes requests with Kubernetes cluster RBAC, sometimes used with prom-label-proxy