Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: f1e1661088
Branches Tags
elasticsearch
/
docs
/
reference
/
commands
/
service-tokens-command.asciidoc

service-tokens-command.asciidoc 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 
  1. [role="xpack"]
    2. 

  2. [testenv="gold+"]
    3. 

  3. [[service-tokens-command]]
    4. 

  4. == elasticsearch-service-tokens
    5. 

  5. 

  6. beta::[]
    7. 

  7. 

  8. Use the `elasticsearch-service-tokens` command to create, list, and delete file-based service account tokens.
    9. 

  9. 

  10. [discrete]
    11. 

  11. === Synopsis
    12. 

  12. 

  13. [source,shell]
    14. 

  14. ----
    15. 

  15. bin/elasticsearch-service-tokens
    16. 

  16. ([create <service_account_principal> <token_name>]) |
    17. 

  17. ([list] [<service_account_principal>]) |
    18. 

  18. ([delete <service_account_principal> <token_name>])
    19. 

  19. ----
    20. 

  20. 

  21. [discrete]
    22. 

  22. === Description
    23. 

  23. This command creates a `service_tokens` file in the `$ES_HOME/config` directory
    24. 

  24. when you create the first service account token. This file does not exist by
    25. 

  25. default. {es} monitors this file for changes and dynamically reloads it.
    26. 

  26. 

  27. See <<service-accounts,service accounts>> for more information.
    28. 

  28. 

  29. IMPORTANT: To ensure that {es} can read the service account token information at
    30. 

  30. startup, run `elasticsearch-service-tokens` as the same user you use to run
    31. 

  31. {es}. Running this command as `root` or some other user updates the permissions
    32. 

  32. for the `service_tokens` file and prevents {es} from accessing it.
    33. 

  33. 

  34. [discrete]
    35. 

  35. [[service-tokens-command-parameters]]
    36. 

  36. === Parameters
    37. 

  37. 

  38. `create`::
    39. 

  39. Creates a service account token for the specified service account.
    40. 

  40. +
    41. 

  41. .Properties of `create`
    42. 

  42. [%collapsible%open]
    43. 

  43. ====
    44. 

  44. `<service_account_principal>`:::
    45. 

  45. (Required, string) Service account principal that takes the format of
    46. 

  46. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    47. 

  47. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    48. 

  48. +
    49. 

  49. The service account principal must match a known service account.
    50. 

  50. 

  51. `<token_name>`:::
    52. 

  52. (Required, string) An identifier for the token name.
    53. 

  53. +
    54. 

  54. --
    55. 

  55. Token names must be at least 1 and no more than 256 characters. They can contain
    56. 

  56. alphanumeric characters (`a-z`, `A-Z`, `0-9`), dashes (`-`), and underscores
    57. 

  57. (`_`), but cannot begin with an underscore.
    58. 

  58. 

  59. NOTE: Token names must be unique in the context of the associated service
    60. 

  60. account.
    61. 

  61. --
    62. 

  62. ====
    63. 

  63. 

  64. `list`::
    65. 

  65. Lists all service account tokens defined in the `service_tokens` file. If you
    66. 

  66. specify a service account principal, the command lists only the tokens that
    67. 

  67. belong to the specified service account.
    68. 

  68. +
    69. 

  69. .Properties of `list`
    70. 

  70. [%collapsible%open]
    71. 

  71. ====
    72. 

  72. `<service_account_principal>`:::
    73. 

  73. (Optional, string) Service account principal that takes the format of
    74. 

  74. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    75. 

  75. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    76. 

  76. +
    77. 

  77. The service account principal must match a known service account.
    78. 

  78. ====
    79. 

  79. 

  80. `delete`::
    81. 

  81. Deletes a service account token for the specified service account.
    82. 

  82. +
    83. 

  83. .Properties of `delete`
    84. 

  84. [%collapsible%open]
    85. 

  85. ====
    86. 

  86. `<service_account_principal>`:::
    87. 

  87. (Required, string) Service account principal that takes the format of
    88. 

  88. `<namespace>/<service>`, where the `namespace` is a top-level grouping of
    89. 

  89. service accounts, and `service` is the name of the service. For example, `elastic/fleet-server`.
    90. 

  90. +
    91. 

  91. The service account principal must match a known service account.
    92. 

  92. ====
    93. 

  93. 

  94. `<token_name>`:::
    95. 

  95. (Required, string) Name of an existing token.
    96. 

  96. 

  97. [discrete]
    98. 

  98. === Examples
    99. 

  99. 

  100. The following command creates a service account token named `my-token` for
    101. 

  101. the `elastic/fleet-server` service account.
    102. 

  102. 

  103. [source,shell]
    104. 

  104. ----
    105. 

  105. bin/elasticsearch-service-tokens create elastic/fleet-server my-token
    106. 

  106. ----
    107. 

  107. 

  108. The output is a bearer token, which is a Base64 encoded string.
    109. 

  109. 

  110. [source,shell]
    111. 

  111. ----
    112. 

  112. SERVICE_TOKEN elastic/fleet-server/my-token = AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ
    113. 

  113. ----
    114. 

  114. 

  115. Use this bearer token to authenticate with your {es} cluster.
    116. 

  116. 

  117. [source,shell]
    118. 

  118. ----
    119. 

  119. curl -H "Authorization: Bearer AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" http://localhost:9200/_cluster/health
    120. 

  120. ----
    121. 

  121. // NOTCONSOLE
    122. 

  122. 

  123. NOTE: If your node has `xpack.security.http.ssl.enabled` set to `true`, then
    124. 

  124. you must specify `https` in the request URL.
    125. 

  125. 

  126. The following command lists all service account tokens that are defined in the
    127. 

  127. `service_tokens` file.
    128. 

  128. 

  129. [source,shell]
    130. 

  130. ----
    131. 

  131. bin/elasticsearch-service-tokens list
    132. 

  132. ----
    133. 

  133. 

  134. A list of all service account tokens displays in your terminal:
    135. 

  135. 

  136. [source,txt]
    137. 

  137. ----
    138. 

  138. elastic/fleet-server/my-token
    139. 

  139. elastic/fleet-server/another-token
    140. 

  140. ----
    141. 

  141. 

  142. The following command deletes the `my-token` service account token for the
    143. 

  143. `elastic/fleet-server` service account:
    144. 

  144. 

  145. [source,shell]
    146. 

  146. ----
    147. 

  147. bin/elasticsearch-service-tokens delete elastic/fleet-server my-token
    148. 

  148. ----
    149.