diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/kustomization.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/kustomization.yaml
index 6c20c21c..9c48d5f7 100644
--- a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/kustomization.yaml
+++ b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/kustomization.yaml
@@ -2,6 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./secret.yaml
-  - ./vmuser.yaml
-  - ./vmauth.yaml
+  - ./write.yaml
+  - ./read.yaml
diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/read.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/read.yaml
new file mode 100644
index 00000000..a9e1544b
--- /dev/null
+++ b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/read.yaml
@@ -0,0 +1,42 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-read-token
+  namespace: monitoring-dev
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_read_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: read
+  namespace: monitoring-dev
+  labels:
+    vm-user: "read"
+spec:
+  tokenRef:
+    name: vmetrics-read-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics-dev
+        namespace: monitoring-dev
+      paths: ["/targets/api/v1","/targets","/metrics"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-read-ingress
+  namespace: monitoring-dev
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "read"
+  ingress:
+    tlsSecretName: vmetrics-read-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - read.monitoring.dev.immich.cloud
diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/secret.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/secret.yaml
deleted file mode 100644
index 3751a4f2..00000000
--- a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/secret.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: cf-workers-metrics-token
-  namespace: monitoring-dev
-spec:
-  itemPath: "vaults/Kubernetes/items/vmetrics_write_token"
diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/vmauth.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/vmauth.yaml
deleted file mode 100644
index b0a5a445..00000000
--- a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/vmauth.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: operator.victoriametrics.com/v1beta1
-kind: VMAuth
-metadata:
-  name: cf-workers-metrics-ingress
-  namespace: monitoring-dev
-spec:
-  userSelector: {}
-  userNamespaceSelector: {}
-  selectAllByDefault: true
-  ingress:
-    tlsSecretName: cf-workers-metrics-tls
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production
-    class_name: nginx
-    tlsHosts:
-      - cf-workers.monitoring.dev.immich.cloud
diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/vmuser.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/vmuser.yaml
deleted file mode 100644
index 07f3138a..00000000
--- a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/vmuser.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: operator.victoriametrics.com/v1beta1
-kind: VMUser
-metadata:
-  name: cf-workers
-  namespace: monitoring-dev
-spec:
-  tokenRef:
-    name: cf-workers-metrics-token
-    key: token
-  targetRefs:
-    - crd:
-        kind: VMSingle
-        name: vmetrics-dev
-        namespace: monitoring-dev
-      paths: ["/write"]
diff --git a/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/write.yaml b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/write.yaml
new file mode 100644
index 00000000..34fa3231
--- /dev/null
+++ b/kubernetes/apps/monitoring-dev/victoria-metrics/ingress/write.yaml
@@ -0,0 +1,43 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-write-token
+  namespace: monitoring-dev
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_write_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: write
+  namespace: monitoring-dev
+  labels:
+    vm-user: "write"
+spec:
+  tokenRef:
+    name: vmetrics-write-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics-dev
+        namespace: monitoring-dev
+      paths: ["/write"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-write-ingress
+  namespace: monitoring-dev
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "write"
+  ingress:
+    tlsSecretName: vmetrics-write-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - write.monitoring.dev.immich.cloud
+      - cf-workers.monitoring.dev.immich.cloud
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/kustomization.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/kustomization.yaml
index 6c20c21c..9c48d5f7 100644
--- a/kubernetes/apps/monitoring/victoria-metrics/ingress/kustomization.yaml
+++ b/kubernetes/apps/monitoring/victoria-metrics/ingress/kustomization.yaml
@@ -2,6 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./secret.yaml
-  - ./vmuser.yaml
-  - ./vmauth.yaml
+  - ./write.yaml
+  - ./read.yaml
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/read.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/read.yaml
new file mode 100644
index 00000000..51b447a1
--- /dev/null
+++ b/kubernetes/apps/monitoring/victoria-metrics/ingress/read.yaml
@@ -0,0 +1,42 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-read-token
+  namespace: monitoring
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_read_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: read
+  namespace: monitoring
+  labels:
+    vm-user: "read"
+spec:
+  tokenRef:
+    name: vmetrics-read-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics
+        namespace: monitoring
+      paths: ["/targets/api/v1","/targets","/metrics"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-read-ingress
+  namespace: monitoring
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "read"
+  ingress:
+    tlsSecretName: vmetrics-read-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - read.monitoring.immich.cloud
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/secret.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/secret.yaml
deleted file mode 100644
index f1e14865..00000000
--- a/kubernetes/apps/monitoring/victoria-metrics/ingress/secret.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: cf-workers-metrics-token
-  namespace: monitoring
-spec:
-  itemPath: "vaults/Kubernetes/items/vmetrics_write_token"
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/vmauth.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/vmauth.yaml
deleted file mode 100644
index 91982bb2..00000000
--- a/kubernetes/apps/monitoring/victoria-metrics/ingress/vmauth.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: operator.victoriametrics.com/v1beta1
-kind: VMAuth
-metadata:
-  name: cf-workers-metrics-ingress
-  namespace: monitoring
-spec:
-  userSelector: {}
-  userNamespaceSelector: {}
-  selectAllByDefault: true
-  ingress:
-    tlsSecretName: cf-workers-metrics-tls
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production
-    class_name: nginx
-    tlsHosts:
-      - cf-workers.monitoring.immich.cloud
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/vmuser.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/vmuser.yaml
deleted file mode 100644
index e3109ae2..00000000
--- a/kubernetes/apps/monitoring/victoria-metrics/ingress/vmuser.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: operator.victoriametrics.com/v1beta1
-kind: VMUser
-metadata:
-  name: cf-workers
-  namespace: monitoring
-spec:
-  tokenRef:
-    name: cf-workers-metrics-token
-    key: token
-  targetRefs:
-    - crd:
-        kind: VMSingle
-        name: vmetrics
-        namespace: monitoring
-      paths: ["/write"]
diff --git a/kubernetes/apps/monitoring/victoria-metrics/ingress/write.yaml b/kubernetes/apps/monitoring/victoria-metrics/ingress/write.yaml
new file mode 100644
index 00000000..5efa3abf
--- /dev/null
+++ b/kubernetes/apps/monitoring/victoria-metrics/ingress/write.yaml
@@ -0,0 +1,43 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: vmetrics-write-token
+  namespace: monitoring
+spec:
+  itemPath: "vaults/Kubernetes/items/vmetrics_write_token"
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMUser
+metadata:
+  name: write
+  namespace: monitoring
+  labels:
+    vm-user: "write"
+spec:
+  tokenRef:
+    name: vmetrics-write-token
+    key: token
+  targetRefs:
+    - crd:
+        kind: VMSingle
+        name: vmetrics
+        namespace: monitoring
+      paths: ["/write"]
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMAuth
+metadata:
+  name: vmetrics-write-ingress
+  namespace: monitoring
+spec:
+  userSelector:
+    matchLabels:
+      vm-user: "write"
+  ingress:
+    tlsSecretName: vmetrics-write-tls
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    class_name: nginx
+    tlsHosts:
+      - write.monitoring.immich.cloud
+      - cf-workers.monitoring.immich.cloud
diff --git a/tf/deployment/modules/1password/account/k8s-secrets.tf b/tf/deployment/modules/1password/account/k8s-secrets.tf
index 5b2eb428..f64a70bd 100644
--- a/tf/deployment/modules/1password/account/k8s-secrets.tf
+++ b/tf/deployment/modules/1password/account/k8s-secrets.tf
@@ -89,6 +89,28 @@ resource "onepassword_item" "vmetrics_write_token" {
   }
 }
 
+resource "random_password" "vmetrics_read_token" {
+  length  = 40
+  special = false
+}
+
+resource "onepassword_item" "vmetrics_read_token" {
+  for_each = { for vault in [data.onepassword_vault.kubernetes, data.onepassword_vault.tf_dev, data.onepassword_vault.tf_prod] : vault.name => vault }
+  vault    = each.value.uuid
+  title    = "vmetrics_read_token"
+  category = "secure_note"
+
+  section {
+    label = "Victoria Metrics read token"
+
+    field {
+      label = "token"
+      type  = "CONCEALED"
+      value = random_password.vmetrics_read_token.result
+    }
+  }
+}
+
 resource "random_password" "bot_github_webhook_slug" {
   length  = 40
   special = false