How to overcome Gmail notification security for third-party Apps?

This blog will be to allow sending Gmail notification through third-party apps. Currently, in a gsuite email id, the 2 Factor Authentication blocks unauthorized and less secure app access. eg. when we need to send notifications for alerts using Prometheus. We will see two ways to overcome it.

Gmail Notification Method 1: Less Secure App Access

If you visit https://myaccount.google.com/lesssecureapps you will see it is turned OFF or disabled.

You need to enable or Turn ON the access to allow Prometheus to send notifications.

However, this method is less secure and temporary. As we cannot allow less secure apps to access our email. And now Gmail is removing this in accounts enabled with 2 Factor authentication.

So will use the second method

Gmail Notification Method 2: App Passwords

This method creates passwords for applications where you do not want to use your passwords as a chance of losing it someone who has access to the device where the application runs. Open this link: https://myaccount.google.com/apppasswords

As this says “App passwords let you sign in to your Google Account from apps on devices that don’t support 2-Step Verification.” So we will use this method.

1. Select Custom name or Other
2. Type a name for the app. eg. email-alert
3. Your new password is generated in 16-digit alphanumeric characters.
4. Now you can see when it was created and when used
5. once use is over you can delete it

How to Use

As read before, one use is in Prometheus, where we need to send email notifications. Now, simply add the email id as the username and the password generated as the password. Use this YAML as a reference:

receivers:
- name: 'email'
  emailConfigs:
  - sendResolved: true
    to: 'vaibhav.kumar@knoldus.com'
    from: 'vaibhav.kumar@knoldus.com'
    smarthost: 'smtp.gmail.com:587'
    authUsername: 'vaibhav.kumar@knoldus.com'
    authIdentity: 'vaibhav.kumar@knoldus.com'
    authPassword:
      name: gmail-auth
      key: password

Here, a secret fills details of authPassword. The following YAML creates this secret.

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: gmail-auth
  namespace: monitoring
data:
  password: anJrZ3Z6anBpYnB5YWhrZg==
  # base64 encoded password
  # echo -n 'password' | base64

Reference

1. https://docs.openshift.com/container-platform/4.11/rest_api/monitoring_apis/alertmanagerconfig-monitoring-coreos-com-v1beta1.html