Fleet Server Secrets
editFleet Server Secrets
editFleet Server configuration can contain secret values. You may specify these values directly in the configuration or through secret files. You can use command line arguments to pass the values or file paths when you are running under Elastic Agent, or you can use environment variables if Elastic Agent is running in a container.
For examples of how to deploy secret files, refer to our Secret files guide.
Stand-alone Fleet Server is under active development.
Secret values
editThe following secret values may be used when configuring Fleet Server.
Note that the configuration fragments shown below are specified either in the UI as part of the output specification or as part of the Fleet Server integration settings.
-
service_token -
The
service_tokenis used to communicate with Elasticsearch.It may be specified in the configuration directly as:
output.elasticsearch.service_token: my-service-token
Or by a file with:
output.elasticsearch.service_token_path: /path/to/token-file
When you are running Fleet Server under Elastic Agent, you can specify it with either the
--fleet-server-service-tokenor the--fleet-server-service-token-pathflag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variables
FLEET_SERVER_SERVICE_TOKENorFLEET_SERVER_SERVICE_TOKEN_PATH. - TLS private key
-
Use the TLS private key to encrypt communications between Fleet Server and Elastic Agent. See Configure SSL/TLS for self-managed Fleet Servers for more details.
Although it is not recommended, you may specify the private key directly in the configuration as:
inputs: - type: fleet-server ssl.key: | ----BEGIN CERTIFICATE---- .... ----END CERTIFICATE----Alternatively, you can provide the path to the private key with the same attribute:
inputs: - type: fleet-server ssl.key: /path/to/cert.keyWhen you are running Fleet Server under Elastic Agent, you can provide the private key path using with the
--fleet-server-cert-keyflag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable
FLEET_SERVER_CERT_KEYto specify the private key path. - TLS private key passphrase
-
The private key passphrase is used to decrypt an encrypted private key file.
You can specify the passphrase as a secret file in the configuration with:
inputs: - type: fleet-server ssl.key_passphrase_path: /path/to/passphraseWhen you are running Fleet Server under Elastic Agent, you can provide the passphrase path using the
--fleet-server-cert-key-passphrase-pathflag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable
FLEET_SERVER_CERT_KEY_PASSPHRASEto specify the file path. - APM API Key
-
The APM API Key may be used to gather APM data from Fleet Server.
You can specify it directly in the instrumentation segment of the configuration:
inputs: - type: fleet-server instrumentation.api_key: my-apm-api-keyOr by a file with:
inputs: - type: fleet-server instrumentation.api_key_file: /path/to/apmAPIKeyYou may specify the API key by value using the environment variable
ELASTIC_APM_API_KEY. - APM secret token
-
The APM secret token may be used to gather APM data from Fleet Server.
You can specify the secret token directly in the instrumentation segment of the configuration:
inputs: - type: fleet-server instrumentation.secret_token: my-apm-secret-tokenOr by a file with:
inputs: - type: fleet-server instrumentation.secret_token_file: /path/to/apmSecretTokenYou may also specify the token by value using the environment variable
ELASTIC_APM_SECRET_TOKEN.