Telegraf read password from environment/file for PostgreSQL output

draekster · April 15, 2025, 4:38pm

I have a Telegraf (v1.32.3) configuration with which I connect my PostgreSQL.
If I store the password there in plain text, the connection works:

connection="host=HOST port=PORT user=USER password=PASSWORD sslmode=disable dbname=DB"

But as soon as I try to get the password from an environment variable:

connection="host=HOST port=PORT user=USER password=${PASSWORD} sslmode=disable dbname=DB"

or a file:

connection="host=HOST port=PORT user=USER password=@/run/secrets/password sslmode=disable dbname=DB"

I can no longer connect.

However, the environment variable itself contains the password. Also the file.

What am I doing wrong?

I have to say that I start PostgreSQL (more precisely TimescaleDB) and Telegraf in a container with Podman.

Anaisdg · April 15, 2025, 5:54pm

Hello @draekster,
Can you please share your telegraf config?
Youll want to do something like:

[[secretstores.files]]
  id = "mystore"
  directory = "/run/secrets"

[[inputs.postgresql]]
  address = "host=HOST port=PORT user=USER password=@{mystore:password} sslmode=disable dbname=DB"

This blog could be useful:

draekster · April 19, 2025, 10:53am

I can finally answer
The activation took a really long time…

With your information I have now adjusted my configuration. It looks like this:

[agent]
  debug = true
  interval = "10s"
  hostname = "nase_telegraf"

[[secretstores.docker]]
  id = "timescaledb_admin"

[[outputs.postgresql]]
  connection="host=IP port=PORT user=USER password=@{timescaledb_admin:timescaledb_admin} sslmode=disable dbname=DB"

If I use secretstores.files I get this error:
E! loading config file /etc/telegraf/telegraf.conf failed: error parsing files, undefined but requested secretstores: files

With secretstores.docker it works. But I don’t use Docker. I use Podman. Why does this work and will it work in the future? Why secretstores.files doesn’t work?

Anaisdg · April 21, 2025, 6:52pm

Hello @draekster,
You can only use the following:

As of v1.27, Telegraf has a few Secret Store plugins to choose from:

Docker

When running Docker, this plugin can read Docker provided secrets.

These are values stored in /run/secrets on the container.

HTTP

Query secrets from an HTTP endpoint.

The format of the data is expected to be a flat JSON object.

Supports a variety of encryption methods and authentication.

JOSE

Local encrypted files using the JavaScript Object Signing and Encryption algorithm.

Users can use the telegraf secrets set to create secrets.

OS

Interact with OS-specific secret stores.

Linux uses kernel keyrings.

macOS works with the macOS Keychain.

Windows interacts with the Windows Credential Manager control panel.

You can submit a feature request on the telegraf repo on github though

Topic		Replies	Views
Telegraf Docker Container and env file (/etc/default/telegraf) Telegraf influxdb , telegraf , docker	5	2103	June 1, 2021
InfluxDBv2 authorization fails if docker secrets are used Telegraf influxdb , docker	18	489	January 24, 2024
Hashing the InfluxDB password in Telegraf config Telegraf	4	3774	August 25, 2021
Unable to use "-" character in the names of docker secrets Telegraf telegraf , docker	3	36	February 27, 2025
InfluxDB 2 / Telegraf "authorization not found" [Docker/Windows] InfluxDB 2 telegraf , windows , docker	1	4134	April 20, 2021

Telegraf read password from environment/file for PostgreSQL output

Related topics