Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: d13baade69
Branches Tags
elasticsearch
/
docs
/
reference
/
commands
/
service-tokens-command.asciidoc

service-tokens-command.asciidoc 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. [[service-tokens-command]]
    2. 

  2. == elasticsearch-service-tokens
    3. 

  3. 

  4. Use the `elasticsearch-service-tokens` command to create, list, and delete file-based service account tokens.
    5. 

  5. 

  6. [discrete]
    7. 

  7. === Synopsis
    8. 

  8. 

  9. [source,shell]
    10. 

  10. ----
    11. 

  11. bin/elasticsearch-service-tokens
    12. 

  12. ([create <service_account_principal> <token_name>]) |
    13. 

  13. ([list] [<service_account_principal>]) |
    14. 

  14. ([delete <service_account_principal> <token_name>])
    15. 

  15. ----
    16. 

  16. 

  17. [discrete]
    18. 

  18. === Description
    19. 

  19. This command creates a `service_tokens` file in the `$ES_HOME/config` directory
    20. 

  20. when you create the first service account token. This file does not exist by
    21. 

  21. default. {es} monitors this file for changes and dynamically reloads it.
    22. 

  22. 

  23. See <<service-accounts,service accounts>> for more information.
    24. 

  24. 

  25. IMPORTANT: To ensure that {es} can read the service account token information at
    26. 

  26. startup, run `elasticsearch-service-tokens` as the same user you use to run
    27. 

  27. {es}. Running this command as `root` or some other user updates the permissions
    28. 

  28. for the `service_tokens` file and prevents {es} from accessing it.
    29. 

  29. 

  30. [discrete]
    31. 

  31. [[service-tokens-command-parameters]]
    32. 

  32. === Parameters
    33. 

  33. 

  34. `create`::
    35. 

  35. Creates a service account token for the specified service account.
    36. 

  36. +
    37. 

  37. .Properties of `create`
    38. 

  38. [%collapsible%open]
    39. 

  39. ====
    40. 

  40. `<service_account_principal>`:::
    41. 

  41. (Required, string) Service account principal that takes the format of
    42. 

  42. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    43. 

  43. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    44. 

  44. +
    45. 

  45. The service account principal must match a known service account.
    46. 

  46. 

  47. `<token_name>`:::
    48. 

  48. (Required, string) An identifier for the token name.
    49. 

  49. +
    50. 

  50. --
    51. 

  51. Token names must be at least 1 and no more than 256 characters. They can contain
    52. 

  52. alphanumeric characters (`a-z`, `A-Z`, `0-9`), dashes (`-`), and underscores
    53. 

  53. (`_`), but cannot begin with an underscore.
    54. 

  54. 

  55. NOTE: Token names must be unique in the context of the associated service
    56. 

  56. account.
    57. 

  57. --
    58. 

  58. ====
    59. 

  59. 

  60. `list`::
    61. 

  61. Lists all service account tokens defined in the `service_tokens` file. If you
    62. 

  62. specify a service account principal, the command lists only the tokens that
    63. 

  63. belong to the specified service account.
    64. 

  64. +
    65. 

  65. .Properties of `list`
    66. 

  66. [%collapsible%open]
    67. 

  67. ====
    68. 

  68. `<service_account_principal>`:::
    69. 

  69. (Optional, string) Service account principal that takes the format of
    70. 

  70. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    71. 

  71. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    72. 

  72. +
    73. 

  73. The service account principal must match a known service account.
    74. 

  74. ====
    75. 

  75. 

  76. `delete`::
    77. 

  77. Deletes a service account token for the specified service account.
    78. 

  78. +
    79. 

  79. .Properties of `delete`
    80. 

  80. [%collapsible%open]
    81. 

  81. ====
    82. 

  82. `<service_account_principal>`:::
    83. 

  83. (Required, string) Service account principal that takes the format of
    84. 

  84. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    85. 

  85. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    86. 

  86. +
    87. 

  87. The service account principal must match a known service account.
    88. 

  88. ====
    89. 

  89. 

  90. `<token_name>`:::
    91. 

  91. (Required, string) Name of an existing token.
    92. 

  92. 

  93. [discrete]
    94. 

  94. === Examples
    95. 

  95. 

  96. The following command creates a service account token named `my-token` for
    97. 

  97. the `elastic/fleet-server` service account.
    98. 

  98. 

  99. [source,shell]
    100. 

  100. ----
    101. 

  101. bin/elasticsearch-service-tokens create elastic/fleet-server my-token
    102. 

  102. ----
    103. 

  103. 

  104. The output is a bearer token, which is a Base64 encoded string.
    105. 

  105. 

  106. [source,shell]
    107. 

  107. ----
    108. 

  108. SERVICE_TOKEN elastic/fleet-server/my-token = AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ
    109. 

  109. ----
    110. 

  110. 

  111. Use this bearer token to authenticate with your {es} cluster.
    112. 

  112. 

  113. [source,shell]
    114. 

  114. ----
    115. 

  115. curl -H "Authorization: Bearer AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" http://localhost:9200/_cluster/health
    116. 

  116. ----
    117. 

  117. // NOTCONSOLE
    118. 

  118. 

  119. NOTE: If your node has `xpack.security.http.ssl.enabled` set to `true`, then
    120. 

  120. you must specify `https` in the request URL.
    121. 

  121. 

  122. The following command lists all service account tokens that are defined in the
    123. 

  123. `service_tokens` file.
    124. 

  124. 

  125. [source,shell]
    126. 

  126. ----
    127. 

  127. bin/elasticsearch-service-tokens list
    128. 

  128. ----
    129. 

  129. 

  130. A list of all service account tokens displays in your terminal:
    131. 

  131. 

  132. [source,txt]
    133. 

  133. ----
    134. 

  134. elastic/fleet-server/my-token
    135. 

  135. elastic/fleet-server/another-token
    136. 

  136. ----
    137. 

  137. 

  138. The following command deletes the `my-token` service account token for the
    139. 

  139. `elastic/fleet-server` service account:
    140. 

  140. 

  141. [source,shell]
    142. 

  142. ----
    143. 

  143. bin/elasticsearch-service-tokens delete elastic/fleet-server my-token
    144. 

  144. ----
    145.