How to Enable Basic Auth with ALB Ingress in Kubernetes (Step-by-Step Guide)

Published on 24 October 2025 07:49 AM
#Kubernetes #AWS
This post thumbnail

Introduction

You've succeeded. Your observability game is stronger than ever after you installed the powerful Kube-Prometheus-Stack in your EKS cluster. You have an abundance of metrics, dashboards, and alerts. However, as you look at your Prometheus user interface (UI), which is accessible online through an AWS Application Load Balancer (ALB), the unsettling realization that "Wait... anyone can see this" begins to creep in.

Data is being scraped from every part of your cluster by your Prometheus server. It contains, to put it mildly, sensitive operational metrics, service names, and configuration information. A security incident is just waiting to happen if this data is left exposed on the open internet.

"Easy," you say, "I'll just include Basic Authentication." As you open your Ingress YAML and prepare to make some annotations, you run into a wall.

The core problem: AWS ALB, for all its power, does not natively support Basic Authentication

ALB assigns authentication to more sophisticated, enterprise-grade OIDC providers like AWS Cognito, Okta, or PingFederate, as opposed to Nginx Ingress or Traefik, which manage Basic Auth with a few straightforward annotations. If all you need is a basic username-and-password "gate" to keep automated scanners and casual observers out, then setting up OIDC, despite its power, is frequently overly complicated.

Are you stuck, then? Do you have to decide between exposing your metrics and completing a week-long OIDC integration project?

Absolutely not. We're engineers, and we solve problems with clever layers of abstraction. The solution is elegant: If the load balancer won't be our security guard, we'll hire one to stand right inside the front door.

You'll need a workaround if you're using the Kube-Prometheus-Stack Helm chart in order to protect your metrics user interface without making it public.

This guide will show you how to add an NGINX sidecar container to your Prometheus pod and enable basic auth for Prometheus ingress with ALB. Before sending traffic to Prometheus, this NGINX proxy will take care of authentication.

Why ALB Doesn’t Support Basic Auth

The AWS Application Load Balancer (ALB) is a Layer 7 (Application Layer) component but does not support Basic Auth natively. It is designed specifically for SSL termination, routing, and WAF instead of managing credentials.

Consequently, you must address the issue at the application layer if you wish to implement username-password protection on an endpoint behind the ALB; in our situation, this means utilizing NGINX.

Architecture Overview