Elasticsearch Cloud on Google - Security Accessing

Hi, first post and I'm not all that knowledgeable about this topic.

Can anyone tell me the best way to use my ElasticSearch Google Cloud instance in terms of security?

I have a mobile app that is being released as a PWA (mobile website). The mobile app didn't require the same level of security as the web. We could just put the credentials for the searches right into the code.

Now, the "code" shows up in the "view source" option in the browser, so our ElasticSearch password is clearly visible to anyone. This is obviously a disaster waiting to happen.

How do we set up a web site to make ElasticSearch queries using the credentials for our ElasticSearch instance, but NOT have it show up in the website code?

What are current best practices for this?



Disclaimer: not at all a security expert here.

I think it's not really a question related to elasticsearch but can be applicable to any database.
I'd say that normally you don't expose a database directly to the end user. You'd probably use a backend which communicates then with the database.

If you want to run that in the browser, it means to me that the browser needs to be aware of some credentials. Ideally in such a case you'd use something like an OAuth mechanism with token/secret pairs.

I believe this is something you can do with the platinum license as it can support other auth mechanism than the basic login/password. Such as Kerebos, Saml, ...

My 0.02 cents but I'd love that some of our security experts confirm or infirm this.

Thank you for taking the time to respond. Much appreciated.

What you wrote makes a lot of sense. We are looking at making Google Cloud Functions (since it's ElasticSearch in the Cloud. This way we communicate with the cloud function which then communicates with the ElasticSearch instance.

Is anyone doing it this way currently?

hi @Ocean12


Usually you use API call to access your data storage you don't access directly your elastic from the PWA. If you use jue.js, nuxt, react, angular or any other framework usually in all tutorial they use API call and never access directly datastorage and never put server credentials in clear text inside the code that you provide to the end user.
Usually you use an API gateway with authentication and your app request on this endpoint. If you don't already have one, here some resource:

We host on Amazon and we use the AWS Gateway API and one instance for the code.
I think google have some API gateway tools that can help you to build your backend.
Also about security and best practice usualy the API gateway include some security against DDOS attack, can autoscale, and request rate limit, etc...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.