Dec 1st, 2023: [EN] Securing Elasticsearch with HashiCorp Vault

Elastic Community and Ecosystem Advent Calendar
1

image
image1202×630 139 KB

Are you utilizing both Elasticsearch and HashiCorp in your environment and seeking ways to connect the two? This concise article unveils the steps to effectively employ HashiCorp Vault for automated credential generation and revocation on Elasticsearch.

The guide from HashiCorp provides instructions for setting up an Elasticsearch secret engine, primarily focused on Elasticsearch version 7.1.1, which used an additional security feature called x-pack. This guide suggests installing a plugin using elasticsearch-cli for that version. However, it's important to note that in newer versions like 8>, the need for installing this plugin has been eliminated because x-pack is no longer available separately. For instance, in Elasticsearch version 8.10, x-pack is integrated or replaced with native functionalities, eliminating the requirement for separate plugin installations. HashiCorp has recognized this change, and there's an ongoing issue open with them to update the guide to reflect these changes for the latest versions of Elasticsearch. These instructions was performed on Elasticsearch version 8.10.0.

Demo

Watch a quick demo by accessing this link.

Requirements

  1. Create an account on Elastic Cloud (>8.+)
  2. Install and unseal vault in our Kubernetes/VMs (see guide)

Implementation

  1. Enable vault database secret engine

vault secrets enable -path=elasticsearch database

  1. Configure a Vault role that will be used by the elasticsearch secret engine
vault write elasticsearch/roles/internally-defined-role \
      db_name=my-elasticsearch-database \
      creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["read"]}]}}' \
      default_ttl="1h" \
      max_ttl="24h"
  1. Configure the elasticsearch secret database to connect to your ES deployment
vault write elasticsearch/config/my-elasticsearch-database \
    plugin_name="elasticsearch-database-plugin" \
    allowed_roles="internally-defined-role" \
    username=vault \
    password=myPa55word \
    url=<ES-URL>
  1. Generate a new credentials on Elasticsearch by running:

vault read elasticsearch/creds/my-role

This will generate user credentials on Elasticsearch using the role/permissions that was defined on step #2. The credentials will be automatically revoked once the ttl expires.

Easy, right? :slight_smile:

1 Like
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.