Allow OpenTelemetry to connect Anonymous to Elastic APM in fleet

Kibana version:

8.5.2

Elasticsearch version:

8.5.2

APM Server version:

/

APM Agent language and version:

Open-Telemetry

Browser version:

/

Original install method (e.g. download page, yum, deb, from source, etc.) and version:

download page

Fresh install or upgraded from other version?

fresh

Is there anything special in your setup? For example, are you using the Logstash or Kafka outputs? Are you using a load balancer in front of the APM Servers? Have you changed index pattern, generated custom templates, changed agent configuration etc.

/

Description of the problem including expected versus actual behavior. Please include screenshots (if relevant):

I'm doing a fresh install of Elastic / Kibana and APM

APM is changed to "Elastic APM in Fleet"

The Agents (OpenTelemetry) are configured to connect anonymous to the APM server (this can’t be changed) but somehow I can't figure out where to enable anonymous access.

I did find:

But not the location of the setting, policy, .... that enables this.

Can anyone point me where this needs to be configured?

Welcome to the forum, @Aile!

You will need to edit the APM integration policy in Fleet: Quick start | APM User Guide [8.5] | Elastic

In the integration policy editor you will find a "Agent authorization" section where you can enable anonymous access and configured the allowed agents:

Allowed agents is a list of agent names. For OpenTelemetry, this will be <telemetry.sdk.name>/<telemetry.sdk.language>. e.g. opentelemetry/python

The Agents (OpenTelemetry) are configured to connect anonymous to the APM server (this can’t be changed) but somehow I can't figure out where to enable anonymous access.

Just checking: do you mean that it can't be changed in your particular application? In case you're unaware, it is possible to configure OpenTelemetry SDKs to auth by specifying the required HTTP Authorization header. For an example, see OpenTelemetry integration | APM User Guide [8.5] | Elastic

1 Like

Thanks for the reply.
Is there by accident a list that states all the possible agent names?
(in my case I need opentelemetry for .net, so I suppose it should be something like "opentelemetry/.net" or "opentelemetry/net")

The main issue is that it are existing apps (which I don't have access to), so setting up the security settings is at the moment not possible.

No, but there's a list of valid telemetry.sdk.language values here: opentelemetry-specification/README.md at main · open-telemetry/opentelemetry-specification · GitHub. So for .NET it'll be opentelemetry/dotnet.

The main issue is that it are existing apps (which I don't have access to), so setting up the security settings is at the moment not possible.

OK. The other option is to disable auth altogether, by disabling API Key auth and clearing out the secret token.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.