A newer version is available. For the latest information, see the current release documentation.
Elastic Docs Setting up and running APM Server
« Security Granting users access to APM Server indices »

Configuring authentication credentials for APM Serveredit

When sending data to a secured cluster through the elasticsearch output, APM Server must either provide basic authentication credentials or present a client certificate.

To configure authentication credentials for APM Server:

  1. Create a role that has the manage_index_templates and monitor cluster privileges, and read, write, and create_index privileges for the indices that APM Server creates. You can create roles from the Management / Roles UI in Kibana or through the role API. For example, the following request creates a apm_writer role:

    POST _xpack/security/role/apm_writer
{
  "cluster": ["manage_index_templates", "monitor"],
  "indices": [
    {
      "names": [ "apm-*" ], 
      "privileges": ["write","create_index"]
    }
  ]
}

    If you use a custom APM Server index pattern, specify that pattern instead of the default apm-* pattern.

  2. Assign the writer role to the user that APM Server will use to connect to Elasticsearch:

    1. To authenticate as a native user, create a user for the APM Server to use internally and assign it the writer role. You can create users from the Management / Users UI in Kibana or through the user API. For example, the following request creates a apm_internal user that has the apm_writer role:

      POST /_xpack/security/user/apm_internal
{
  "password" : "x-pack-test-password",
  "roles" : [ "apm_writer"],
  "full_name" : "Internal APM Server User"
}

    2. To authenticate using PKI authentication, assign the writer role to the internal APM Server user in the role_mapping.yml configuration file. Specify the user by the distinguished name that appears in its certificate.

      apm_writer:
  - "cn=Internal APM Server User,ou=example,o=com"

      For more information, see Using Role Mapping Files.

  3. Configure authentication credentials for the elasticsearch output in the APM Server configuration file:

    1. To use basic authentication, configure the username and password settings. For example, the following APM Server output configuration uses the native apm_internal user to connect to Elasticsearch:

      output.elasticsearch:
    hosts: ["localhost:9200"]
    index: "apm"
    username: "apm_internal"
    password: "x-pack-test-password"

    2. To use PKI authentication, configure the certificate and key settings:

      output.elasticsearch:
    hosts: ["localhost:9200"]
    index: "apm"
    ssl.certificate: "/etc/pki/client/cert.pem" 
    ssl.key: "/etc/pki/client/cert.key"

      The distinguished name (DN) in the certificate must be mapped to the writer role in the role_mapping.yml configuration file on each node in the Elasticsearch cluster.
« Security Granting users access to APM Server indices »