Earlier we used a service account to log into Kibana and create an API key for log ingestion or reading events.
Now we are moving to a gMSA (Group Managed Service Account) which is passwordless and cannot log in interactively.
How can we create and use an API key for ingestion when services run under a gMSA account?
Is there a recommended approach for this in Elasticsearch/Kibana?
A gMSA account cannot log in interactively, but it can still authenticate to Elasticsearch if the service runs under that identity.
The recommended approach is to create the API key once using a privileged account or automation, then securely store it (for example in a secrets manager or service configuration).
The service running under the gMSA can then use that API key for ingestion, since API keys are independent of interactive login and only require the correct permissions defined at creation time.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.