Vault Monitoring with Prometheus ServiceMonitor

Hello folks!

I’m trying to scrape vault metrics via Prometheus ServiceMonitor , in order to allow the servicemonitor to authenticate with vault I generate a token and it’s been added to the ServiceMonitor as bearerTokenSecret , but looks Prometheus operator doesn’t work as expected with the bearer token as a secret, since it starts throwing HTTP 400 error when it tries to scrape the metrics.

As a fix for above, I used bearerTokenFile instead following below steps:

  1. create serviceaccount without the token.
  2. create a secret which has vault token.
  3. add the secret to the service account created in step 1

And after that I created the ServiceMonitor as below manifest, then I start getting 500 errors when promethues scraped the metrics and vault logs were dropping:

[ERROR] core: failed to lookup acl token: error=“failed to look up namespace from the token: no namespace”

apiVersion: v1
kind: ServiceAccount
  name: prometheus-vault
  namespace: vault
    release: prometheus
automountServiceAccountToken: false
- name: vault-prometheus-token


kind: ServiceMonitor
  name: vault-servicemonitor
  namespace: vault
    release: prometheus
    matchLabels: vault
    - interval: 20s
      path: /v1/sys/metrics
      port: http
        - prometheus
        insecureSkipVerify: true
      bearerTokenFile:  "/var/run/secrets/"


  1. vault version 10.1.2 - helm chart deployment.
  2. Promethues version is 2.35.0 - helm chart deployment.

I would truly appreciate your guidance.

You appear to be trying to send a Kubernetes service account token to Vault - this is not correct - Vault needs a Vault token that it has issued itself.

The easiest option is to just set unauthenticated_metrics_access in the Vault configuration, and turn off the requirement to authenticate for metrics.

If you won’t do that, you need to configure a vault agent container within your Prometheus pod, to maintain a bearer token.

Actually, my serviceaccount token uses a k8s secret which has a vault token

I tried unauthenticated_metrics_access but getting 403 :frowning:

automountServiceAccountToken: false
- name: vault-prometheus-token

I do not understand what you are trying to say.

You must not have successfully configured unauthenticated_metrics_access then.

I restarted my vault cluster and things works!

Thanks for your help much appreciated.