API Secret key token

Elastic apm-server and agent configuration, what is a secret_token for java agent is it an API key from elasticsearch.? Will it be a security issue if we have the api key as a part of java code.?

@apm_user

Secure communication with APM Agents | APM Server Reference [7.11] | Elastic describes the two methods of auth supported by APM Server: Secret Token and API Key. They are different.

With the secret token method you specify a secret token (can be anything, e.g. randomly generated) in the APM Server configuration, and also in the APM Agent. The server simply checks that each request received from the agent has a secret token matching what is configured in the server.

Will it be a security issue if we have the api key as a part of java code.?

That depends on who has access to the code -- both the source code, and the compiled JAR. Typically it's best to configure the agent using a property file or environment variable instead. How you do that securely depends on your method of deployment.

Generally speaking, storing credentials within source code is considered to be a bad practice, as anyone that has access to your application binaries will be able to extract them (with Java it's pretty trivial to decompile binaries).

Also, it's quite likely that you will have to update those credentials at some point, and doing that would require to re-compile, package and deploy your application, which would have been made way easier if those were stored in environment variables, only an application restart would be required.

Also, I encourage you to read the (rather opinionated) "12 factor app" that is quite popular in the ruby ecosystem, especially the part about configuration: The Twelve-Factor App

1 Like