How to use keystore for basic auth password for the input watch


(Doug Nelson) #1

Looking for an example of showing how to set the basic auth password using a keystore when using an http input for the watcher. Looking for an example watch http input that uses a keystore to avoid having the user password in the watch in plain text.

(Alexander Reelsen) #2


you cannot use the keystore for this currently. You can however ensure that the password is not stored in plaintext in elasticsearch by using the xpack.watcher.encrypt_sensitive_data: true setting, See the docs here

hope this helps!


(Doug Nelson) #3

So the passwords are still in plain text in the watch script and this will prevent the password from being displayed in the watcher history if I am reading this correctly.

(Alexander Reelsen) #4

No. The password is sent in plaintext to the Put Watch API, but before the watch is stored in the .watches index it is encrypted using the system key (and decrypted when needed, i.e. during execution).

We did a couple of changes, which will be available with the 6.3.0 release, to ensure that no credentials are leaked in the watcher history (remove authorization headers for example).

(Doug Nelson) #5

Thanks for the clarification Alex. Since many people are putting watches in source control, there is a need to be able to not have the password in the watch in plain text. Glad to see the credentials will no longer be leaked into the watcher history. Would really be nice if keystores were supported as this would be a good way to solve this.

(Alexander Reelsen) #6

That is an absolute valid requirement. Do you mind opening an issue in (thanks to the x-pack merge we can now manage those kind of things in the ES repo).

(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.