« Configure anonymous authentication Configure APM agent central configuration »
Elastic Docs Elastic Observability [8.19] Application and service monitoring Application performance monitoring (APM) Configure APM Server

APM agent authorization

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

APM agent authorization

edit

supported deployment methods

Most options in this section are supported by all APM Server deployment methods.

Agent authorization APM Server configuration options.

Example config file:

apm-server:
  host: "localhost:8200"
  rum:
    enabled: true

output:
  elasticsearch:
    hosts: ElasticsearchAddress:9200

max_procs: 4
API key authentication options
edit

These settings apply to API key communication between the APM Server and APM Agents.

These settings are different from the API key settings used for Elasticsearch output and monitoring.

API key for agent authenticationedit

Enable API key authorization by setting enabled to true. By default, enabled is set to false, and API key support is disabled. (bool)

APM Server binary

auth.api_key.enabled

Fleet-managed

API key for agent authentication

Not using Elastic APM agents? When enabled, third-party APM agents must include a valid API key in the following format: Authorization: ApiKey <token>. The key must be the base64 encoded representation of the API key’s id:name.

API key limitedit

Each unique API key triggers one request to Elasticsearch. This setting restricts the number of unique API keys are allowed per minute. The minimum value for this setting should be the number of API keys configured in your monitored services. The default limit is 100. (int)

APM Server binary

auth.api_key.limit

Fleet-managed

Number of keys
Secret tokenedit

Authorization token for sending APM data. The same token must also be set in each APM agent. This token is not used for RUM endpoints. (text)

APM Server binary

auth.api_key.token

Fleet-managed

Secret token
auth.api_key.elasticsearch.* configuration options
edit

supported deployment methods

The below options are only supported by the APM Server binary.

All of the auth.api_key.elasticsearch.* configurations are optional. If none are set, configuration settings from the apm-server.output section will be reused.

elasticsearch.hostsedit

API keys are fetched from Elasticsearch. This configuration needs to point to a secured Elasticsearch cluster that is able to serve API key requests.

elasticsearch.protocoledit

The name of the protocol Elasticsearch is reachable on. The options are: http or https. The default is http. If nothing is configured, configuration settings from the output section will be reused.

elasticsearch.pathedit

An optional HTTP path prefix that is prepended to the HTTP API calls. If nothing is configured, configuration settings from the output section will be reused.

elasticsearch.proxy_urledit

The URL of the proxy to use when connecting to the Elasticsearch servers. The value may be either a complete URL or a "host[:port]", in which case the "http"scheme is assumed. If nothing is configured, configuration settings from the output section will be reused.

elasticsearch.timeoutedit

The HTTP request timeout in seconds for the Elasticsearch request. If nothing is configured, configuration settings from the output section will be reused.

auth.api_key.elasticsearch.ssl.* configuration options
edit

SSL is off by default. Set elasticsearch.protocol to https if you want to enable https.

elasticsearch.ssl.enablededit

Enable custom SSL settings. Set to false to ignore custom SSL settings for secure communication.

elasticsearch.ssl.verification_modeedit

Configure SSL verification mode. If none is configured, all server hosts and certificates will be accepted. In this mode, SSL based connections are susceptible to man-in-the-middle attacks. Use only for testing. Default is full.

elasticsearch.ssl.supported_protocolsedit

List of supported/valid TLS versions. By default, all TLS versions from 1.0 to 1.2 are enabled.

elasticsearch.ssl.certificate_authoritiesedit

List of root certificates for HTTPS server verifications.

elasticsearch.ssl.certificateedit

The path to the certificate for SSL client authentication.

elasticsearch.ssl.keyedit

The client certificate key used for client authentication. This option is required if certificate is specified.

elasticsearch.ssl.key_passphraseedit

An optional passphrase used to decrypt an encrypted key stored in the configured key file.

elasticsearch.ssl.cipher_suitesedit

The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).

elasticsearch.ssl.curve_typesedit

The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).

elasticsearch.ssl.renegotiationedit

Configure what types of renegotiation are supported. Valid options are never, once, and freely. Default is never.

  • never - Disables renegotiation.
  • once - Allows a remote server to request renegotiation once per connection.
  • freely - Allows a remote server to repeatedly request renegotiation.
« Configure anonymous authentication Configure APM agent central configuration »