Configuring authentication credentials for APM Serveredit
When sending data to a secured cluster through the elasticsearch
output, APM Server must either provide basic authentication credentials
or present a client certificate.
To configure authentication credentials for APM Server:
-
Create a role that has the
manage_index_templates
andmonitor
cluster privileges, andread
,write
, andcreate_index
privileges for the indices that APM Server creates. You can create roles from the Management / Roles UI in Kibana or through therole
API. For example, the following request creates aapm_writer
role: -
Assign the writer role to the user that APM Server will use to connect to Elasticsearch:
-
To authenticate as a native user, create a user for the APM Server to use internally and assign it the writer role. You can create users from the Management / Users UI in Kibana or through the
user
API. For example, the following request creates aapm_internal
user that has theapm_writer
role:POST /_xpack/security/user/apm_internal { "password" : "x-pack-test-password", "roles" : [ "apm_writer"], "full_name" : "Internal APM Server User" }
-
To authenticate using PKI authentication, assign the writer role to the internal APM Server user in the
role_mapping.yml
configuration file. Specify the user by the distinguished name that appears in its certificate.apm_writer: - "cn=Internal APM Server User,ou=example,o=com"
For more information, see Using Role Mapping Files.
-
-
Configure authentication credentials for the
elasticsearch
output in the APM Server configuration file:-
To use basic authentication, configure the
username
andpassword
settings. For example, the following APM Server output configuration uses the nativeapm_internal
user to connect to Elasticsearch:output.elasticsearch: hosts: ["localhost:9200"] index: "apm" username: "apm_internal" password: "x-pack-test-password"
-
To use PKI authentication, configure the
certificate
andkey
settings:
-