Alertmanager secrets #5359

OfficerKoo · 2023-06-26T15:43:25Z

OfficerKoo
Jun 26, 2023

How are we supposed to deploy Alertmanager secrets(OpsGenie API keys for example), if they are stored in plaintext in config file.
Vanilla Alertmanager allows you to store secrets in a file, but this is disabled in Mimir Alertmanager API, and there is no other way to upload tenant configurations.

Is there some best practise to do this?
I really don't want to add some templating engine to a pipeline, or inject header with reverse proxy.

DEBU[0001] checking response                             status="400 Bad Request"
ERRO[0001] response                                      body="error validating Alertmanager config: setting smtp_auth_password_file, password_file, bearer_token_file, auth_password_file or credentials_file is not allowed\n" status="400 Bad Request"
mimirtool: error: POST request to https://mimir.internal.infra.loveos.io/api/v1/alerts failed: server returned HTTP status: 400 Bad Request, body: "error validating Alertmanager config: setting smtp_auth_password_file, password_file, bearer_token_file, auth_password_file or credentials_file is not allowed\n", try --help

dimitarvdimitrov · 2023-06-27T16:34:16Z

dimitarvdimitrov
Jun 27, 2023
Maintainer

You can use environment variables inside the configuration.

"Injecting credentials" shows how to do it for the Helm chart.

And "Use environment variables in the configuration" is a general paragraph about how environment variables in the config work.

8 replies

lblazewski Apr 15, 2024

Hey, I would like to bump this since I have stumbled upon this issue recently. I think this is a serious limitation and secrets support should be added to the alertmanager config parsing.

lukasmrtvy Apr 17, 2024

@lblazewski there's no issue created afaik, maybe this would be a good start

taobojlen Jun 3, 2024

I created a feature request here: #8259

mac133k Apr 3, 2025

I would really like to have the feature in mimirtool to expand env vars placed in tenant's alertmanager config. If the config is under revision control the settings that are env-specific or are sensitive data could be filled using env var when mimirtool is dispatched as a K8s job to load alertmanager configuration for a specific tenant in a specific staging env to Mimir Alertmaanger. Currently this is only possible using external tools or scripts that need to wrap around mimirtool or run in an init container.

marshallford Aug 21, 2025

Has anyone solved this or found a workaround?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Alertmanager secrets #5359

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 8 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Alertmanager secrets #5359

Uh oh!

OfficerKoo Jun 26, 2023

Replies: 1 comment · 8 replies

Uh oh!

dimitarvdimitrov Jun 27, 2023 Maintainer

Uh oh!

lblazewski Apr 15, 2024

Uh oh!

lukasmrtvy Apr 17, 2024

Uh oh!

taobojlen Jun 3, 2024

Uh oh!

mac133k Apr 3, 2025

Uh oh!

marshallford Aug 21, 2025

OfficerKoo
Jun 26, 2023

Replies: 1 comment 8 replies

dimitarvdimitrov
Jun 27, 2023
Maintainer