Bash Scripting ElasticSearch and Kibana Passwords

I have a bash script that automates the installation and configuration of Elastic, Kibana, Logstash, and filebeat.

I am currently trying to secure my Kibana. I have enabled xpack in my elastic.yml: xpack.security.enabled: true.

And have included bin/elasticsearch-setup-passwords auto to the script, but this would still require the user to manually copy the password into the kibana.yml file. Is there any way to specifically set what I want my password to be in the script and just put whatever I have set in my kibana.yml file so everything is still automated?

you can use bin/elasticsearch-keystore instead
more on the documentation here:
elasticsearch-keystore

Frist thing would be to start using elasticsearch-reset-password, the elasticsearch-setup-passwords is deprecated in version 8, the new tool is elasticsearch-reset-password.

Then you would need to run it in the interactive mode and try to combine it with the expect tool in your bash script, this way you may be able to provide a custom password.

It would be best to not use a username and password in Kibana, but use a service account, there is also a CLI tool. to create the service account.

But still you have to copy passwords from output and put them into keystore.

Thanks, I will consider the service account. Can I decide to create a user in my script by having a line such as:

bin/elasticsearch-users useradd jacknich -p theshining -r admin

If I make this user an admin, Would they be able to access the Kibana dashboard without any restrictions? Also, would I still need to add the below lines in kibana.yml?

elastic.username: jacknich
elastic.password: theshining

Those lines are for system user that connects Kibana to Elasticsearch.
If you would like to create a new admin user you do not have to change those values.

Here's another idea. when you run manually the elasticsearch-keystore or the reset password it will generate an encrypted keystore file stored in your system, maybe you can store them in a vault together with the encryption key so when you deploy them automatically you also deploy the keystore and the encryption key.