APM agent remote configuration access forbidden / unauthorized

Hi, I am working on Elastic APM on my project and saw an error on the logs when running with apm java agent:

2022-02-08 17:21:33,546 [elastic-apm-remote-config-poller] ERROR co.elastic.apm.agent.configuration.ApmServerConfigurationSource - Remote configuration is not available. Check the connection between APM Server and Kibana.

I used kibana_system user for APM Server to communicate with Kibana as specified in my docker-compose.yml configuration below. I used kibana_system user because it has privillege to read and view_index_metadata on index apm-* as described here.

Can somebody help me to fix this?

Is there something wrong with my Elastic stack configuration on my docker-compose.yml?

Kibana version: 7.17.0

Elasticsearch version: 7.17.0

APM Server version: 7.17.0

APM Agent language and version: Java agent version 1.28.4

Original install method (e.g. download page, yum, deb, from source, etc.) and version:
docker-compose.yml

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    environment:
      - bootstrap.memory_lock=true
      - cluster.name=docker-cluster
      - cluster.routing.allocation.disk.threshold_enabled=false
      - discovery.type=single-node
      - ES_JAVA_OPTS=-Xms512m -Xmx512m
      - xpack.security.enabled=true
      - xpack.security.authc.api_key.enabled=true
    ulimits:
      memlock:
        hard: -1
        soft: -1
    volumes:
      - es_data:/usr/share/elasticsearch/data
      - es_config:/usr/share/elasticsearch/config
    ports:
      - 8080:9200
    networks:
      - elastic
    healthcheck:
      interval: 20s
      retries: 10
      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'

  kibana:
    image: docker.elastic.co/kibana/kibana:${VERSION}
    depends_on:
      elasticsearch:
        condition: service_healthy
    environment:
      ELASTICSEARCH_URL: http://elasticsearch:9200
      ELASTICSEARCH_HOSTS: http://elasticsearch:9200
      SERVER_PUBLICBASEURL: http://34.101.103.104:2511
      ELASTICSEARCH_USERNAME: ${KIBANA_SYSTEM_USERNAME}
      ELASTICSEARCH_PASSWORD: ${KIBANA_SYSTEM_PASSWORD}
    ports:
      - 2511:5601
    networks:
      - elastic
    healthcheck:
      interval: 10s
      retries: 20
      test: curl --write-out 'HTTP %{http_code}' --fail --silent --output /dev/null -u ${KIBANA_SYSTEM_USERNAME}:${KIBANA_SYSTEM_PASSWORD} http://localhost:5601/api/status

  apm-server:
    image: docker.elastic.co/apm/apm-server:${VERSION}
    depends_on:
      elasticsearch:
        condition: service_healthy
      kibana:
        condition: service_healthy
    cap_add: [ "CHOWN", "DAC_OVERRIDE", "SETGID", "SETUID" ]
    cap_drop: [ "ALL" ]
    ports:
      - 2512:8200
    networks:
      - elastic
    command: >
      apm-server -e
        -E apm-server.rum.enabled=true
        -E setup.kibana.host=kibana:5601
        -E setup.template.settings.index.number_of_replicas=0
        -E apm-server.kibana.enabled=true
        -E apm-server.kibana.host=kibana:5601
        -E apm-server.kibana.username=${KIBANA_SYSTEM_USERNAME}
        -E apm-server.kibana.password=${KIBANA_SYSTEM_PASSWORD}
        -E apm-server.auth.secret_token=${SECRET_TOKEN}
        -E output.elasticsearch.hosts=["elasticsearch:9200"]
        -E output.elasticsearch.username=${ELASTIC_USERNAME}
        -E output.elasticsearch.password=${ELASTIC_PASSWORD}
    healthcheck:
      interval: 10s
      retries: 12
      test: curl --write-out 'HTTP %{http_code}' --fail --silent --output /dev/null http://localhost:8200/

volumes:
  es_data:
    driver: local
  es_config:
    driver: local

networks:
  elastic:
    driver: bridge

Provide logs and/or server output (if relevant):
APM Server logs:

{"log.level":"error","@timestamp":"2022-02-08T10:21:33.524Z","log.logger":"request","log.origin":{"file.name":"middleware/log_middleware.go","file.line":60},"message":"service unavailable","service.name":"apm-server","url.original":"/config/v1/agents","http.request.method":"POST","user_agent.original":"apm-agent-java/1.28.4 (esdc-backend)","source.address":"103.105.35.64","http.request.body.bytes":465,"http.request.id":"113b2009-0e91-4666-9eba-8cbc8bbbdbb4","event.duration":64074195,"http.response.status_code":503,"error.message":"{\"statusCode\":403,\"error\":\"Forbidden\",\"message\":\"Forbidden\"}","ecs.version":"1.6.0"}

Kibana logs:

{"type":"log","@timestamp":"2022-02-08T10:21:33+00:00","tags":["warning","plugins","security","api-authorization"],"pid":7,"message":"User not authorized for \"/api/apm/settings/agent-configuration/search\": responding with 403"}
{"type":"response","@timestamp":"2022-02-08T10:21:33+00:00","tags":["access:apm"],"pid":7,"method":"post","statusCode":403,"req":{"url":"/api/apm/settings/agent-configuration/search","method":"post","headers":{"host":"kibana:5601","user-agent":"Elastic-apm-server/7.17.0 (linux; amd64; a1459eb3f24e7c054794a82f6c19b66975098866; 2022-01-28 08:52:26 +0000 UTC)","content-length":"68","accept":"application/json","content-type":"application/json","kbn-xsrf":"1","accept-encoding":"gzip"},"remoteAddress":"172.26.0.4","userAgent":"Elastic-apm-server/7.17.0 (linux; amd64; a1459eb3f24e7c054794a82f6c19b66975098866; 2022-01-28 08:52:26 +0000 UTC)"},"res":{"statusCode":403,"responseTime":62,"contentLength":60},"message":"POST /api/apm/settings/agent-configuration/search 403 62ms - 60.0B"}

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.