Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 1971bd4591
Branches Tags
elasticsearch
/
docs
/
reference
/
commands
/
service-tokens-command.asciidoc

service-tokens-command.asciidoc 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. [role="xpack"]
    2. 

  2. [testenv="gold+"]
    3. 

  3. [[service-tokens-command]]
    4. 

  4. == elasticsearch-service-tokens
    5. 

  5. 

  6. Use the `elasticsearch-service-tokens` command to create, list, and delete file-based service account tokens.
    7. 

  7. 

  8. [discrete]
    9. 

  9. === Synopsis
    10. 

  10. 

  11. [source,shell]
    12. 

  12. ----
    13. 

  13. bin/elasticsearch-service-tokens
    14. 

  14. ([create <service_account_principal> <token_name>]) |
    15. 

  15. ([list] [<service_account_principal>]) |
    16. 

  16. ([delete <service_account_principal> <token_name>])
    17. 

  17. ----
    18. 

  18. 

  19. [discrete]
    20. 

  20. === Description
    21. 

  21. This command creates a `service_tokens` file in the `$ES_HOME/config` directory
    22. 

  22. when you create the first service account token. This file does not exist by
    23. 

  23. default. {es} monitors this file for changes and dynamically reloads it.
    24. 

  24. 

  25. See <<service-accounts,service accounts>> for more information.
    26. 

  26. 

  27. IMPORTANT: To ensure that {es} can read the service account token information at
    28. 

  28. startup, run `elasticsearch-service-tokens` as the same user you use to run
    29. 

  29. {es}. Running this command as `root` or some other user updates the permissions
    30. 

  30. for the `service_tokens` file and prevents {es} from accessing it.
    31. 

  31. 

  32. [discrete]
    33. 

  33. [[service-tokens-command-parameters]]
    34. 

  34. === Parameters
    35. 

  35. 

  36. `create`::
    37. 

  37. Creates a service account token for the specified service account.
    38. 

  38. +
    39. 

  39. .Properties of `create`
    40. 

  40. [%collapsible%open]
    41. 

  41. ====
    42. 

  42. `<service_account_principal>`:::
    43. 

  43. (Required, string) Service account principal that takes the format of
    44. 

  44. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    45. 

  45. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    46. 

  46. +
    47. 

  47. The service account principal must match a known service account.
    48. 

  48. 

  49. `<token_name>`:::
    50. 

  50. (Required, string) An identifier for the token name.
    51. 

  51. +
    52. 

  52. --
    53. 

  53. Token names must be at least 1 and no more than 256 characters. They can contain
    54. 

  54. alphanumeric characters (`a-z`, `A-Z`, `0-9`), dashes (`-`), and underscores
    55. 

  55. (`_`), but cannot begin with an underscore.
    56. 

  56. 

  57. NOTE: Token names must be unique in the context of the associated service
    58. 

  58. account.
    59. 

  59. --
    60. 

  60. ====
    61. 

  61. 

  62. `list`::
    63. 

  63. Lists all service account tokens defined in the `service_tokens` file. If you
    64. 

  64. specify a service account principal, the command lists only the tokens that
    65. 

  65. belong to the specified service account.
    66. 

  66. +
    67. 

  67. .Properties of `list`
    68. 

  68. [%collapsible%open]
    69. 

  69. ====
    70. 

  70. `<service_account_principal>`:::
    71. 

  71. (Optional, string) Service account principal that takes the format of
    72. 

  72. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    73. 

  73. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    74. 

  74. +
    75. 

  75. The service account principal must match a known service account.
    76. 

  76. ====
    77. 

  77. 

  78. `delete`::
    79. 

  79. Deletes a service account token for the specified service account.
    80. 

  80. +
    81. 

  81. .Properties of `delete`
    82. 

  82. [%collapsible%open]
    83. 

  83. ====
    84. 

  84. `<service_account_principal>`:::
    85. 

  85. (Required, string) Service account principal that takes the format of
    86. 

  86. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    87. 

  87. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    88. 

  88. +
    89. 

  89. The service account principal must match a known service account.
    90. 

  90. ====
    91. 

  91. 

  92. `<token_name>`:::
    93. 

  93. (Required, string) Name of an existing token.
    94. 

  94. 

  95. [discrete]
    96. 

  96. === Examples
    97. 

  97. 

  98. The following command creates a service account token named `my-token` for
    99. 

  99. the `elastic/fleet-server` service account.
    100. 

  100. 

  101. [source,shell]
    102. 

  102. ----
    103. 

  103. bin/elasticsearch-service-tokens create elastic/fleet-server my-token
    104. 

  104. ----
    105. 

  105. 

  106. The output is a bearer token, which is a Base64 encoded string.
    107. 

  107. 

  108. [source,shell]
    109. 

  109. ----
    110. 

  110. SERVICE_TOKEN elastic/fleet-server/my-token = AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ
    111. 

  111. ----
    112. 

  112. 

  113. Use this bearer token to authenticate with your {es} cluster.
    114. 

  114. 

  115. [source,shell]
    116. 

  116. ----
    117. 

  117. curl -H "Authorization: Bearer AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" http://localhost:9200/_cluster/health
    118. 

  118. ----
    119. 

  119. // NOTCONSOLE
    120. 

  120. 

  121. NOTE: If your node has `xpack.security.http.ssl.enabled` set to `true`, then
    122. 

  122. you must specify `https` in the request URL.
    123. 

  123. 

  124. The following command lists all service account tokens that are defined in the
    125. 

  125. `service_tokens` file.
    126. 

  126. 

  127. [source,shell]
    128. 

  128. ----
    129. 

  129. bin/elasticsearch-service-tokens list
    130. 

  130. ----
    131. 

  131. 

  132. A list of all service account tokens displays in your terminal:
    133. 

  133. 

  134. [source,txt]
    135. 

  135. ----
    136. 

  136. elastic/fleet-server/my-token
    137. 

  137. elastic/fleet-server/another-token
    138. 

  138. ----
    139. 

  139. 

  140. The following command deletes the `my-token` service account token for the
    141. 

  141. `elastic/fleet-server` service account:
    142. 

  142. 

  143. [source,shell]
    144. 

  144. ----
    145. 

  145. bin/elasticsearch-service-tokens delete elastic/fleet-server my-token
    146. 

  146. ----
    147.