Secure your clusters with JWTedit

These steps show how you can secure your Elasticsearch clusters, and Enterprise Search instances in a deployment by using a JSON Web Token (JWT) realm for authentication.

Before you beginedit

Elasticsearch Add-On for Heroku supports JWT with Elastic Stack version 8.2 and later.

Configure your 8.2 or above cluster to use JWTedit

            order: 2 
            client_authentication.type: "shared_secret" 
            allowed_signature_algorithms: "HS256,HS384,HS512,RS256,RS384,RS512,ES256,ES384,ES512,PS256,PS384,PS512" 
            allowed_issuer: "issuer1" 
            allowed_audiences: "elasticsearch1,elasticsearch2" 
            claims.principal: "sub" 
            claims.principal: "groups" 

Specifies the authentication realm service.

Defines the JWT realm name.

The order of the JWT realm in your authentication chain. Allowed values are between 2 and 100, inclusive.

Defines the client authenticate type.

Defines the JWT alg header values allowed by the realm.

Defines the JWT iss claim value allowed by the realm.

Defines the JWT aud claim values allowed by the realm.

Defines the JWT claim name used for the principal (username). Defaults to sub.

Defines the JWT claim name used for the groups. No default.

By default, users authenticating through JWT have no roles assigned to them. If you want all users in the group elasticadmins in your identity provider to be assigned the superuser role in your Elasticsearch cluster, issue the following request to Elasticsearch:

POST /_xpack/security/role_mapping/CLOUD_JWT_ELASTICADMIN_TO_SUPERUSER 
   "enabled": true,
    "roles": [ "superuser" ], 
    "rules": { "all" : [ 
        { "field": { "": "jwt-realm-name" } }, 
        { "field": { "groups": "elasticadmins" } }
    "metadata": { "version": 1 }

The mapping name.

The Elastic Stack role to map to.

A rule specifying the JWT role to map from. can be any string containing only alphanumeric characters, underscores, and hyphens.

In order to use the field groups in the mapping rule, you need to have mapped the JWT Attribute that conveys the group membership to claims.groups in the previous step.