Elastic Cloud Keystore

In Elastic cloud i have configured a Keystore setting named ES_PWD, its a single string containing a value of elastic:myelasticpassword.

I tried to use this in my beat configuration, cloud.auth: ${ES_PWD} but when i test the output config it fails, eg: winlogbeat.exe test output results in talk to server... ERROR 401 Unauthorized:

Am i doing something wrong?

The keystore is just an alternative way of storing sensitive parameters that used to live in the YAML, with all the same restrictions

It doesn't provide any generic key-value storage capabilities (and even if it did, it wouldn't provide them to external services like beats)

I believe you have to store the cloud login details somewhere accessible to beats - it might be worth asking in the beats forum for best practices if you're worried about leaving creds lying around in plaintext?

Hi i have created a beats based keystore

PS C:\Program Files\winlogbeat> .\winlogbeat.exe keystore add ES_PWD --force
Created keystore
Enter value for ES_PWD:
Successfully updated the keystore

winlogbeat.yml

#==== Elastic Hosted CLoud
keystore.path: "${path.config}/winlogbeat.keystore"
cloud.id: xxx
cloud.auth: "elastic:${ES_PWD}"

This fails with

2019-08-09T13:13:54.673+1000 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(https://xxx.ap-southeast-2.aws.found.io:443)): 401 Unauthorized: {"error":{"root_cause": [{"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}}],"type":"security_exception","reason":"action [cluster:monitor/main] requires authentication","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\" charset=\"UTF-8\""]}},"status":401}

any ideas?

I've moved this to beats, since the folks that inhabit the cloud forum aren't necessarily experts in the ins and outs of beats config (eg I just learned about the beats keystore from this post - now I'm going to go start using it everywhere).

You could try setting cloud.id to be from the keystore as well, that way since the logs would contain the value and you could confirm whether it's hitting the keystore at all?

(I assume you've tried with cloud.auth pasted directly in and confirmed that works?)

1 Like

Hi thank you - yes when i use the password in the config file it works as expected.

I'm delaying sharing the config to my team, until i can hide the password though, so this is holding me back a bit.

I'll try putting cloud.id into the keystore also which will make my config look like this, and let you know how this goes.

winlogbeat.yml

cloud.id: "${CLOUD_ID}"
cloud.auth: "elastic:${ES_PWD}"

@Alex_Piggott you are onto a winner here.

I made two changes, firstly as you suggested I created a keystore value for CLOUD_ID, tested that with the clear text elastic user password and it worked.

Secondly i included the whole elastic:password in the ES_PWD keystore as well and now that also works!

Epic thank you.

My final working config is

cloud.id: "${CLOUD_ID}"
cloud.auth: "${ES_PWD}"