diff --git a/CHANGELOG.md b/CHANGELOG.md
index b2078830b008..ee828be6d67f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## Main
 
-* [5107](https://github.com/grafana/loki/pull5107) **chaudum** Fix bug in fluentd plugin that caused log lines containing non UTF-8 characters to be dropped.
+* [5144](https://github.com/grafana/loki/pull/5144) **dannykopping** Ruler: fix remote write basic auth credentials.
+* [5107](https://github.com/grafana/loki/pull/5107) **chaudum** Fix bug in fluentd plugin that caused log lines containing non UTF-8 characters to be dropped.
 * [5091](https://github.com/grafana/loki/pull/5091) **owen-d**: Changes `ingester.concurrent-flushes` default to 32
 * [4879](https://github.com/grafana/loki/pull/4879) **cyriltovena**: LogQL: add __line__ function to | line_format template.
 * [5081](https://github.com/grafana/loki/pull/5081) **SasSwart**: Add the option to configure memory ballast for Loki
diff --git a/pkg/ruler/config.go b/pkg/ruler/config.go
index 29e9456972c6..a615f1c4113a 100644
--- a/pkg/ruler/config.go
+++ b/pkg/ruler/config.go
@@ -73,6 +73,10 @@ func (c *RemoteWriteConfig) Clone() (*RemoteWriteConfig, error) {
 		return nil, err
 	}
 
+	// BasicAuth.Password has a type of Secret (github.com/prometheus/common/config/config.go),
+	// so when its value is marshaled it is obfuscated as "<secret>".
+	// Here we copy the original password into the cloned config.
+	n.Client.HTTPClientConfig.BasicAuth.Password = c.Client.HTTPClientConfig.BasicAuth.Password
 	return n, nil
 }
 
diff --git a/pkg/ruler/registry_test.go b/pkg/ruler/registry_test.go
index 1244638c9f92..96f4807b5e01 100644
--- a/pkg/ruler/registry_test.go
+++ b/pkg/ruler/registry_test.go
@@ -191,7 +191,7 @@ func TestTenantRemoteWriteHTTPConfigMaintained(t *testing.T) {
 
 	// HTTP client config is not currently overrideable, all tenants' configs should inherit base
 	assert.Equal(t, tenantCfg.RemoteWrite[0].HTTPClientConfig.BasicAuth.Username, "foo")
-	assert.Equal(t, tenantCfg.RemoteWrite[0].HTTPClientConfig.BasicAuth.Password, promConfig.Secret("<secret>"))
+	assert.Equal(t, tenantCfg.RemoteWrite[0].HTTPClientConfig.BasicAuth.Password, promConfig.Secret("bar"))
 }
 
 func TestTenantRemoteWriteHeaderOverride(t *testing.T) {