Configure authentication credentials | APM Server Reference [6.4]

A newer version is available. For the latest information, see the current release documentation.

›

« Configure APM Server to use X-Pack security Grant users access to APM Server indices »

Configure authentication credentialsedit

When sending data to a secured cluster through the elasticsearch output, APM Server must either provide basic authentication credentials or present a client certificate.

To configure authentication credentials for APM Server:

Create a writer role that has the following privileges:
- Cluster: manage_index_templates and monitor
- Index: write and create_index on the APM Server indices
You can create roles from the Management / Roles UI in Kibana or through the role API. For example, the following request creates a role named apm_writer:
```
POST _xpack/security/role/apm_writer
{
  "cluster": ["manage_index_templates","monitor"],
  "indices": [
    {
      "names": [ "apm-*" ], 
      "privileges": ["write","create_index"]
    }
  ]
}
```
If you use a custom APM Server index pattern, specify that pattern instead of the default apm-* pattern.
Assign the writer role to the user that APM Server will use to connect to Elasticsearch. If you plan to load the pre-built Kibana dashboards, also assign the kibana_user role.
1. To authenticate as a native user, create a user for APM Server to use internally and assign it the writer role, plus any other roles that are needed.
  
  You can create users from the Management / Users UI in Kibana or through the user API. For example, following request creates a user named apm_internal that has the apm_writer and kibana_user roles:
```
POST /_xpack/security/user/apm_internal
{
  "password" : "YOUR_PASSWORD",
  "roles" : [ "apm_writer","kibana_user"],
  "full_name" : "Internal APM Server User"
}
```
  Copy as curl Try in Elastic
2. To use PKI authentication, assign the writer role, plus any other roles that are needed, in the role_mapping.yml configuration file. Specify the user by the distinguished name that appears in its certificate:
```
apm_writer:
  - "cn=Internal APM Server User,ou=example,o=com"
kibana_user:
  - "cn=Internal APM Server User,ou=example,o=com"
```
  For more information, see Using Role Mapping Files.
In the APM Server configuration file, specify authentication credentials for the elasticsearch output:
1. To use basic authentication, configure the username and password settings. For example, the following APM Server output configuration uses the native apm_internal user to connect to Elasticsearch:
```
output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "apm_internal" 
  password: "YOUR_PASSWORD" 
```
  You created this user earlier.
  
  The example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
2. To use PKI authentication, configure the certificate and key settings:
```
output.elasticsearch:
  hosts: ["localhost:9200"]
  ssl.certificate: "/etc/pki/client/cert.pem" 
  ssl.key: "/etc/pki/client/cert.key"
```
  The distinguished name (DN) in the certificate must be mapped to the apm_writer and kibana_user roles in the role_mapping.yml configuration file on each node in the Elasticsearch cluster.

« Configure APM Server to use X-Pack security Grant users access to APM Server indices »

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

Configure authentication credentialsedit

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards