Vault
Elasticsearch database plugin HTTP API
Note: This engine can use external X.509 certificates as part of TLS or signature validation. Verifying signatures against X.509 certificates that use SHA-1 is deprecated and is no longer usable without a workaround starting in Vault 1.12. See the deprecation FAQ for more information.
The Elasticsearch database plugin is one of the supported plugins for the database secrets engine. This plugin generates credentials dynamically based on configured roles for Elasticsearch.
Configure connection
In addition to the parameters defined by the Database Backend, this plugin has a number of parameters to further configure a connection.
Method | Path |
---|---|
POST | /database/config/:name |
Parameters
url
(string: <required>)
- The URL for Elasticsearch's API (http://localhost:9200
).username
(string: <required>)
- The username to be used in the connection URL (vault
).password
(string: <required>)
- The password to be used in the connection URL (pa55w0rd
).ca_cert
(string: "")
- The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.ca_path
(string: "")
- The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.client_cert
(string: "")
- The path to the certificate for the Elasticsearch client to present for communication.client_key
(string: "")
- The path to the key for the Elasticsearch client to use for communication.tls_server_name
(string: "")
- This, if set, is used to set the SNI host when connecting via TLS.insecure
(bool: false)
- Not recommended. Default tofalse
. Can be set totrue
to disable certificate verification.username_template
(string)
- Template describing how dynamic usernames are generated.use_old_xpack
(bool: false)
- Can be set totrue
to use the/_xpack/security
base API path when managing Elasticsearch. May be required for Elasticsearch server versions prior to 6.
Sample payload
{
"plugin_name": "elasticsearch-database-plugin",
"allowed_roles": "internally-defined-role,externally-defined-role",
"url": "http://localhost:9200",
"username": "vault",
"password": "myPa55word",
"ca_cert": "/usr/share/ca-certificates/extra/elastic-stack-ca.crt.pem",
"client_cert": "$ES_HOME/config/certs/elastic-certificates.crt.pem",
"client_key": "$ES_HOME/config/certs/elastic-certificates.key.pem"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/database/config/my-elasticsearch-database
Statements
Statements are configured during role creation and are used by the plugin to determine what is sent to the database on user creation, renewing, and revocation. For more information on configuring roles see the Role API in the database secrets engine docs.
Parameters
The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type.
creation_statements
(string: <required>)
– Using JSON, either defines anelasticsearch_role_definition
or a group of pre-existingelasticsearch_roles
.The object specified by the
elasticsearch_role_definition
is the JSON directly passed through to the Elasticsearch API, so you can pass through anything shown here.For
elasticsearch_roles
, add the names of the roles only. They must pre-exist in Elasticsearch. Defining roles in Vault is more secure than using pre-existing roles because a privilege escalation could be performed by editing the roles used out-of-band in Elasticsearch.
Sample creation statements
{
"elasticsearch_role_definition": {
"indices": [
{
"names": ["*"],
"privileges": ["read"]
}
]
}
}
{
"elasticsearch_roles": ["pre-existing-role-in-elasticsearch"]
}