Elasticsearch Authn
Configure and verify Elasticsearch cluster authentication realms and security APIs while hardening a deployment.
Overview
Elasticsearch Authentication is an agent skill for the Ship phase that summarizes Elasticsearch auth realms and the authenticate API for securing clusters.
Install
npx skills add https://github.com/elastic/agent-skills --skill elasticsearch-authnWhat is this skill?
- Table of 9 authentication realm types with mechanism and internal vs external classification
- Guidance on internal realm limits (one per type) vs multiple external realms
- GET /_security/_authenticate reference for credential and identity verification
- Links to official Elastic documentation for full realm and API key setup
- 9 authentication realm types documented in the reference table
Adoption & trust: 1.1k installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are deploying Elasticsearch and need the correct realm types and verify-credentials API without digging through scattered Elastic security docs.
Who is it for?
Indie builders or tiny ops teams configuring Elastic Stack auth, API keys, or SSO on a new or upgraded cluster.
Skip if: General application OAuth in non-Elastic apps, full IAM design for multi-cloud, or penetration testing playbooks with no Elasticsearch context.
When should I use this skill?
Configuring Elasticsearch cluster authentication, choosing a realm, or verifying credentials against Elastic security APIs.
What do I get? / Deliverables
You choose a compatible realm category and use documented endpoints to validate identities before locking down production access.
- Realm choice aligned to identity system
- Authenticate API verification steps
- Pointers to official Elastic security documentation
Recommended Skills
Journey fit
Authentication realms and the authenticate API are configured and validated as part of securing a cluster before or during production rollout. Realm types (native, LDAP, SAML, OIDC, JWT, PKI) and credential verification map directly to deployment auth hardening, not feature coding.
How it compares
Use as a realm-and-endpoint cheat sheet alongside Elastic’s full docs—not as a generic secrets-management skill or MCP server.
Common Questions / FAQ
Who is elasticsearch-authn for?
Solo and indie builders shipping Elasticsearch or Elastic Cloud who need fast, accurate auth realm and API references while configuring cluster security.
When should I use elasticsearch-authn?
During Ship security work when selecting LDAP vs SAML vs API keys, during Operate infra tweaks when adding a realm, or when verifying credentials with GET /_security/_authenticate before enabling strict access.
Is elasticsearch-authn safe to install?
It is documentation-style reference material from Elastic’s skill set; review the Security Audits panel on this Prism page before enabling the skill in agents with broad filesystem or secret access.
SKILL.md
READMESKILL.md - Elasticsearch Authn
# Elasticsearch Authentication API Reference Quick reference for authentication realms and API key APIs. For full documentation, see the linked Elastic docs. ## Authentication Realms | Realm | Type | Auth mechanism | Category | | ---------------- | ------------------ | ------------------------ | -------- | | Native | `native` | Username / password | Internal | | File | `file` | Username / password | Internal | | LDAP | `ldap` | Username / password | External | | Active Directory | `active_directory` | Username / password | External | | PKI | `pki` | X.509 client certificate | External | | SAML | `saml` | Browser SSO redirect | External | | OpenID Connect | `oidc` | Browser SSO redirect | External | | JWT | `jwt` | Bearer token | External | | Kerberos | `kerberos` | SPNEGO / Negotiate | External | Internal realms: maximum one per type, managed by Elasticsearch. External realms: multiple allowed, delegated to identity systems. [Full documentation](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/authentication-realms) ## Authenticate ```text GET /_security/_authenticate ``` Verify credentials and retrieve the authenticated user's identity and realm. [Full documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-authenticate) ### Response fields | Field | Type | Description | | --------------------------- | ------ | --------------------------------------------------------- | | `username` | string | Authenticated user's name | | `roles` | array | Assigned roles | | `enabled` | bool | Whether the user is active | | `authentication_realm.name` | string | Name of the realm that authenticated the user | | `authentication_realm.type` | string | Realm type: `native`, `file`, `pki`, `ldap`, `saml`, etc. | | `authentication_type` | string | `realm`, `api_key`, `token`, or `anonymous` | ## API Keys — Create ```text POST /_security/api_key ``` Create an API key for authentication. [Full documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) ### Required privileges `manage_own_api_key` or `manage_api_key` cluster privilege. ### Request body ```json { "name": "my-api-key", "expiration": "30d", "role_descriptors": { "role-name": { "cluster": [], "indices": [{ "names": ["index-*"], "privileges": ["read"] }] } }, "metadata": {} } ``` | Field | Type | Description | | ------------------ | ------ | ---------------------------------------------------------------------------- | | `name` | string | Key name (required) | | `expiration` | string | Duration until expiry (e.g. `30d`, `1h`); omit for no expiration | | `role_descriptors` | object | Scoped privileges; omit to inherit the authenticated user's full permissions | | `metadata` | object | Arbitrary metadata | ### Response | Field | Type | Description | | --------- | ------ | -------------------------------------------------------- | | `id` | string | Key ID | | `name` | string | Key name | | `api_key` | string | Secret key value