Fleet Server Secrets

Fleet Server configuration can contain secret values. You may specify these values directly in the configuration or through secret files. You can use command line arguments to pass the values or file paths when you are running under Elastic Agent, or you can use environment variables if Elastic Agent is running in a container.

For examples of how to deploy secret files, refer to our Secret files guide.

Note

Stand-alone Fleet Server is under active development.

Secret values

The following secret values may be used when configuring Fleet Server.

Note that the configuration fragments shown below are specified either in the UI as part of the output specification or as part of the Fleet Server integration settings.

service_token

The service_token is used to communicate with Elasticsearch.

It may be specified in the configuration directly as:

output.elasticsearch.service_token: my-service-token

Or by a file with:

output.elasticsearch.service_token_path: /path/to/token-file

When you are running Fleet Server under Elastic Agent, you can specify it with either the --fleet-server-service-token or the --fleet-server-service-token-path flag. See Elastic Agent command reference for more details.

If you are running Fleet Server under Elastic Agent in a container, you can use the environment variables FLEET_SERVER_SERVICE_TOKEN or FLEET_SERVER_SERVICE_TOKEN_PATH.

TLS private key

Use the TLS private key to encrypt communications between Fleet Server and Elastic Agent. See Configure SSL/TLS for self-managed Fleet Servers for more details.

Although it is not recommended, you may specify the private key directly in the configuration as:

		inputs:
  - type: fleet-server
    ssl.key: |
      ----BEGIN CERTIFICATE----
      ....
      ----END CERTIFICATE----
		
	

Alternatively, you can provide the path to the private key with the same attribute:

		inputs:
  - type: fleet-server
    ssl.key: /path/to/cert.key
		
	

When you are running Fleet Server under Elastic Agent, you can provide the private key path using with the --fleet-server-cert-key flag. See Elastic Agent command reference for more details.

If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable FLEET_SERVER_CERT_KEY to specify the private key path.

TLS private key passphrase

The private key passphrase is used to decrypt an encrypted private key file.

You can specify the passphrase as a secret file in the configuration with:

		inputs:
  - type: fleet-server
    ssl.key_passphrase_path: /path/to/passphrase
		
	

When you are running Fleet Server under Elastic Agent, you can provide the passphrase path using the --fleet-server-cert-key-passphrase flag. See Elastic Agent command reference for more details.

If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable FLEET_SERVER_CERT_KEY_PASSPHRASE to specify the file path.

APM API Key

The APM API Key may be used to gather APM data from Fleet Server.

You can specify it directly in the instrumentation segment of the configuration:

		inputs:
  - type: fleet-server
    instrumentation.api_key: my-apm-api-key
		
	

Or by a file with:

		inputs:
  - type: fleet-server
    instrumentation.api_key_file: /path/to/apmAPIKey
		
	

You may specify the API key by value using the environment variable ELASTIC_APM_API_KEY.

APM secret token

The APM secret token may be used to gather APM data from Fleet Server.

You can specify the secret token directly in the instrumentation segment of the configuration:

		inputs:
  - type: fleet-server
    instrumentation.secret_token: my-apm-secret-token
		
	

Or by a file with:

		inputs:
  - type: fleet-server
    instrumentation.secret_token_file: /path/to/apmSecretToken
		
	

You may also specify the token by value using the environment variable ELASTIC_APM_SECRET_TOKEN.