LinuxCommandLibrary

elasticsearch-create-enrollment-token

Create token for node enrollment

TLDR

Create an enrollment token for adding a new Elasticsearch node

$ elasticsearch-create-enrollment-token [[-s|--scope]] node
copy

Create an enrollment token for adding a new Kibana instance
$ elasticsearch-create-enrollment-token [[-s|--scope]] kibana
copy

Create an enrollment token and display verbose output
$ elasticsearch-create-enrollment-token [[-s|--scope]] node --verbose
copy

Create an enrollment token for a Kibana instance with a custom Elasticsearch URL
$ elasticsearch-create-enrollment-token [[-s|--scope]] kibana --url "[IP]"
copy

Display help
$ elasticsearch-create-enrollment-token [[-h|--help]]
copy

SYNOPSIS

elasticsearch-create-enrollment-token [--scope {NODE|KIBANA}] [--days <days>] [--url <url>] [--fenodes <fenodes>]

PARAMETERS

--scope {NODE|KIBANA}
    Token scope: NODE for Elasticsearch nodes (default); KIBANA for Kibana enrollment

--days <days>
    Days until token expiration (default: 30, min: 0, max: 180)

--url <url>
    HTTPS URL of HTTP CA for secure token generation (auto-detected if omitted)

--fenodes <fenodes>
    Comma-separated transport addresses of eligible enrollment nodes

DESCRIPTION

The elasticsearch-create-enrollment-token command generates a temporary, signed enrollment token used to securely bootstrap new nodes into an Elasticsearch cluster or enroll Kibana. Introduced with security enabled by default in Elasticsearch 8.0, it simplifies cluster expansion without manual certificate management.

Run on an existing cluster node, it outputs a token valid for a specified duration (default 30 days). New nodes use elasticsearch-node enroll with this token, or Kibana setup consumes it directly. Tokens are scoped to NODE (default, for nodes) or KIBANA.

This tool leverages the cluster's HTTP CA for secure communication, optionally specifying the CA URL or eligible node transport addresses. It's essential for production deployments, ensuring encrypted enrollment without exposing passwords. Tokens expire to limit exposure risks.

CAVEATS

Requires Elasticsearch 7.13+ with security enabled; run as 'elasticsearch' user on a live node; token printed to stdout only—capture securely; fails if no HTTP CA configured.

OUTPUT

Emits single-line token (e.g., abcde12345xyz) to stdout. Use elasticsearch-node enroll --enrollment-token <token> on new nodes.

SECURITY NOTE

Tokens grant cluster join access; share securely, revoke by expiration or node unenrollment; prefer short --days in production.

HISTORY

Added in Elasticsearch 7.13 for elastic-cloud-on-k8s; became standard in 8.0 with default TLS/SSL, replacing manual cert workflows.

SEE ALSO

elasticsearch-node(1), elasticsearch-reset-password(1), elasticsearch-certutil(1)

Copied to clipboard