elasticsearch-create-enrollment-token
Create token for node enrollment
TLDR
Create an enrollment token for adding a new Elasticsearch node
Create an enrollment token for adding a new Kibana instance
Create an enrollment token and display verbose output
Create an enrollment token for a Kibana instance with a custom Elasticsearch URL
Display help
SYNOPSIS
elasticsearch-create-enrollment-token [ -s service-name ]
elasticsearch-create-enrollment-token [ --service service-name ]
PARAMETERS
-s service-name, --service service-name
Specifies the type of service that will use the enrollment token. Common values include kibana (which is the default if no service is specified) for Kibana instances, or node for Elasticsearch nodes. The token's purpose and the information it encapsulates vary based on the service type. For most initial setups, kibana is the intended service.
DESCRIPTION
The elasticsearch-create-enrollment-token command is a vital utility for securely integrating Elastic Stack components like Kibana with an Elasticsearch cluster. When Elasticsearch security features are enabled (e.g., in a default distribution), new Kibana instances cannot connect directly without proper authentication. This command generates a short-lived, single-use enrollment token that Kibana can use during its setup process to securely join the cluster. The token simplifies initial configuration by providing a temporary credential for Kibana to register itself, retrieve necessary cluster certificates, and establish secure communication. After successful enrollment, Kibana manages its own authentication with Elasticsearch, typically using service accounts. This command is executed on an existing Elasticsearch node by a user with sufficient privileges, such as the elastic superuser or a user with manage_security cluster privilege.
CAVEATS
Security Context: The command must be run on an Elasticsearch node, typically by a user with manage_security cluster privilege or the elastic superuser. Running it with insufficient privileges will result in an error.
Token Expiration and Single Use: Enrollment tokens are short-lived (default is 30 minutes) and can only be used once. After a token is used or expires, it becomes invalid.
Sensitive Output: The generated token is sensitive information. It should be handled with extreme care and never exposed in insecure logs or shared publicly.
No Command-Line History: Avoid pasting the token directly into scripts or saving it in command history files without proper security considerations.
Elastic Stack Version Compatibility: Ensure the Elasticsearch version matches or is compatible with the Kibana version. Enrollment tokens are designed for specific security models that may vary slightly between major versions.
DEFAULT EXPIRATION
The generated enrollment token has a default expiration of 30 minutes. This short lifespan is a security measure to limit the window of exposure, ensuring the token cannot be used indefinitely if compromised.
USAGE EXAMPLE
To create an enrollment token for a Kibana instance, execute the following command on an Elasticsearch node:
./bin/elasticsearch-create-enrollment-token -s kibana
The command will output a long string, which is the enrollment token. This token is then provided to the Kibana setup wizard or configuration to initiate the secure connection.
HISTORY
The concept of enrollment tokens was introduced as part of the simplified security setup in Elastic Stack 7.x, gaining prominence with versions 7.10+ and 8.x. Prior to this, securely connecting Kibana to Elasticsearch often involved more manual steps, such as certificate exchange and direct configuration of usernames and passwords, which could be cumbersome. The elasticsearch-create-enrollment-token command streamlined this process by providing a secure, temporary, and single-use credential. Its development focused on improving the out-of-the-box user experience for security-enabled clusters, making it easier for new users to get started with a secure Elastic Stack deployment without deep knowledge of TLS or complex security configurations.
SEE ALSO
elasticsearch-reset-password(8), elasticsearch-setup-passwords(8), elasticsearch-service-tokens(8), elasticsearch-reconfigure-node(8)
