Are you utilizing both Elasticsearch and HashiCorp in your environment and seeking ways to connect the two? This concise article unveils the steps to effectively employ HashiCorp Vault for automated credential generation and revocation on Elasticsearch.
The guide from HashiCorp provides instructions for setting up an Elasticsearch secret engine, primarily focused on Elasticsearch version 7.1.1, which used an additional security feature called x-pack. This guide suggests installing a plugin using elasticsearch-cli for that version. However, it's important to note that in newer versions like 8>, the need for installing this plugin has been eliminated because x-pack is no longer available separately. For instance, in Elasticsearch version 8.10, x-pack is integrated or replaced with native functionalities, eliminating the requirement for separate plugin installations. HashiCorp has recognized this change, and there's an ongoing issue open with them to update the guide to reflect these changes for the latest versions of Elasticsearch. These instructions was performed on Elasticsearch version 8.10.0.
Demo
Watch a quick demo by accessing this link.
Requirements
- Create an account on Elastic Cloud (>8.+)
- Install and unseal vault in our Kubernetes/VMs (see guide)
Implementation
- Enable vault database secret engine
vault secrets enable -path=elasticsearch database
- Configure a Vault role that will be used by the elasticsearch secret engine
vault write elasticsearch/roles/internally-defined-role \
db_name=my-elasticsearch-database \
creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \
default_ttl="1h" \
max_ttl="24h"
- Configure the elasticsearch secret database to connect to your ES deployment
vault write elasticsearch/config/my-elasticsearch-database \
plugin_name="elasticsearch-database-plugin" \
allowed_roles="internally-defined-role" \
username=vault \
password=myPa55word \
url=<ES-URL>
- Generate a new credentials on Elasticsearch by running:
vault read elasticsearch/creds/my-role
This will generate user credentials on Elasticsearch using the role/permissions that was defined on step #2. The credentials will be automatically revoked once the ttl expires.
Easy, right?