It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.

The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

Elastic Docs Elastic Cloud Enterprise Reference [2.1] Administering deployments Secure your clusters
« Filter IP traffic Verify your credentials »

Configure the keystoreedit

When you configure Elastic Cloud Enterprise, you might include sensitive settings or configuration options, such as passwords. Instead of relying on file system permissions, you can use the keystore to protect these settings or options.

The keystore is a RESTful API-only feature.

Before you beginedit

To configure the keystore, you must meet the minimum criteria.

The minimum criteria include:

  • To access the RESTful API for Elastic Cloud Enterprise, you must use your Elastic Cloud Enterprise credentials.
  • The Elasticsearch cluster that you plan to configure must be version 6.0 or later.

To learn more about the keystore, refer to the Elasticsearch documentation.

Stepsedit

Create the keystore:

curl -k -X PATCH -u USER:PASSWORD https://COORDINATOR_HOST:12443/api/v1/clusters/elasticsearch/ELASTICSEARCH_CLUSTER_ID/keystore \
{
  "secrets": {
    "s3.client.CLIENT_NAME.access_key": {
      "as_file": false
      "value": "ACCESS_KEY_VALUE"
    }
    "s3.client.CLIENT_NAME.secret_key": {
      "value": "SECRET_KEY_VALUE"
    }
  }
}
ELASTICSEARCH_CLUSTER_ID
The Elasticsearch cluster ID as shown in the Cloud UI or obtained via the API

List the keys defined in the keystore:

{
  "secrets": {
    "s3.client.CLIENT_NAME.access_key": {
      "as_file": false
    },
    "s3.client.CLIENT_NAME.secret_key": {
      "as_file": false
    }
  }
}

Create the credentials for an S3, or Minio, repository:

curl -k -X PUT -u $USER:$PASSWORD https://$COODINATOR_HOST:12443/api/v1/clusters/elasticsearch/$ELASTICSEARCH_CLUSTER_ID/_snapshot/s3-repo
{
  "type": "s3",
  "settings": {
    "bucket": "s3_REPOSITORY_NAME",
    "client": "CLIENT_NAME",
    "base_path": "PATH_NAME"
  }
}

Create the credentials for a GCS repository:

curl -k -X PUT -u $USER:$PASSWORD https://$COORDINATOR_HOST:12443/api/v1/clusters/elasticsearch/$ELASTICSEARCH_CLUSTER_ID/_snapshot/s3-repo
{
  "type": "gcs",
  "settings": {
    "bucket": "BUCKET_NAME",
    "base_path": "BASE_PATH_NAME",
    "client": "CLIENT_NAME"
  }
}

To use GCS snapshots, the cluster must have the repository-gcs plugin enabled.

Remove keys that are defined the keystore:

curl -k -X PATCH -u $USER:$PASSWORD https://$COORDINATOR_HOST:12443/api/v1/clusters/elasticsearch/$ELASTICSEARCH_CLUSTER_ID/keystore \
{
  "secrets": {
    "KEY_TO_REMOVE": {}
  }
}
« Filter IP traffic Verify your credentials »