Fleet Server Secrets
editFleet Server Secrets
editFleet Server configuration can contain secret values. You may specify these values directly in the configuration or through secret files. You can use command line arguments to pass the values or file paths when you are running under Elastic Agent, or you can use environment variables if Elastic Agent is running in a container.
For examples of how to deploy secret files, refer to our Secret files guide.
Stand-alone Fleet Server is under active development.
Secret values
editThe following secret values may be used when configuring Fleet Server.
Note that the configuration fragments shown below are specified either in the UI as part of the output specification or as part of the Fleet Server integration settings.
-
service_token
-
The
service_token
is used to communicate with Elasticsearch.It may be specified in the configuration directly as:
output.elasticsearch.service_token: my-service-token
Or by a file with:
output.elasticsearch.service_token_path: /path/to/token-file
When you are running Fleet Server under Elastic Agent, you can specify it with either the
--fleet-server-service-token
or the--fleet-server-service-token-path
flag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variables
FLEET_SERVER_SERVICE_TOKEN
orFLEET_SERVER_SERVICE_TOKEN_PATH
. - TLS private key
-
Use the TLS private key to encrypt communications between Fleet Server and Elastic Agent. See Configure SSL/TLS for self-managed Fleet Servers for more details.
Although it is not recommended, you may specify the private key directly in the configuration as:
inputs: - type: fleet-server ssl.key: | ----BEGIN CERTIFICATE---- .... ----END CERTIFICATE----
Alternatively, you can provide the path to the private key with the same attribute:
inputs: - type: fleet-server ssl.key: /path/to/cert.key
When you are running Fleet Server under Elastic Agent, you can provide the private key path using with the
--fleet-server-cert-key
flag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable
FLEET_SERVER_CERT_KEY
to specify the private key path. - TLS private key passphrase
-
The private key passphrase is used to decrypt an encrypted private key file.
You can specify the passphrase as a secret file in the configuration with:
inputs: - type: fleet-server ssl.key_passphrase_path: /path/to/passphrase
When you are running Fleet Server under Elastic Agent, you can provide the passphrase path using the
--fleet-server-cert-key-passphrase-path
flag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable
FLEET_SERVER_CERT_KEY_PASSPHRASE
to specify the file path. - APM API Key
-
The APM API Key may be used to gather APM data from Fleet Server.
You can specify it directly in the instrumentation segment of the configuration:
inputs: - type: fleet-server instrumentation.api_key: my-apm-api-key
Or by a file with:
inputs: - type: fleet-server instrumentation.api_key_file: /path/to/apmAPIKey
You may specify the API key by value using the environment variable
ELASTIC_APM_API_KEY
. - APM secret token
-
The APM secret token may be used to gather APM data from Fleet Server.
You can specify the secret token directly in the instrumentation segment of the configuration:
inputs: - type: fleet-server instrumentation.secret_token: my-apm-secret-token
Or by a file with:
inputs: - type: fleet-server instrumentation.secret_token_file: /path/to/apmSecretToken
You may also specify the token by value using the environment variable
ELASTIC_APM_SECRET_TOKEN
.