Elasticsearch
Elasticdatabase4 credentials
elastic Built-in Superuser Password
elasticsearch / elastic-built-in-user
Elasticsearch includes built-in users for the Elastic Stack. The elastic user is a built-in superuser used to set other built-in user passwords and to bootstrap administrative access on self-managed clusters.
Default credentials
elastic:(empty)Location
Elasticsearch HTTP API, Kibana loginbootstrap password may be set in the Elasticsearch keystore as bootstrap.password
ELASTIC_PASSWORDcommonly used by Docker and orchestration examples to set the initial elastic password
Kubernetes Secrets, Docker secrets, Elastic Cloud orchestration secrets, CI/CD variables
initial startup/setup logs, installation notes, and bootstrap tooling output
Notes
The default block records the built-in username, not a static password. Elastic documents that built-in users cannot authenticate until their passwords have been set; if elastic has no password, a transient bootstrap password is used to run password-setup tooling.
Built-in Service User Passwords
elasticsearch / built-in-service-user-passwords
Elasticsearch built-in service users such as kibana_system, logstash_system, beats_system, apm_system, and remote_monitoring_user have fixed privileges and require operator-set passwords before use.
Looks like
pattern(xpack\.[A-Za-z0-9_.-]+\.elasticsearch\.(username|password)|elasticsearch\.(username|password)):\s*[^\s]+Location
kibana.yml, logstash.yml, beats.yml, apm-server.yml, metricbeat.yml
ELASTICSEARCH_USERNAME, ELASTICSEARCH_PASSWORD, KIBANA_PASSWORDKubernetes Secrets, Docker secrets, Elastic Cloud orchestration secrets
Helm values, docker-compose.yml, Ansible inventories, committed stack configs
Notes
These accounts are not intended for human login. A leaked service-user password grants the component privileges assigned to that built-in user.
Elasticsearch API Key
elasticsearch / api-key
Elasticsearch API keys authenticate requests to Elasticsearch APIs. The create API key endpoint returns an id, api_key value, and an encoded representation for Authorization headers.
Looks like
patternApiKey\s+[A-Za-z0-9+/=_\-]+Location
AuthorizationApiKey authorization scheme
create API key responses containing id, api_key, and encoded fields
ELASTICSEARCH_API_KEYBeats, Logstash, agents, Elastic clients, and application config
Kubernetes Secrets, CI/CD variables, application secret stores
ingestion scripts, notebooks, app config, committed examples
Notes
API key privileges are derived from the creating user and requested role descriptors. Treat encoded API key values as bearer credentials.
Service Account Token
elasticsearch / service-account-token
Elasticsearch service account tokens authenticate Elastic Stack services to Elasticsearch without using built-in user passwords. Tokens can be file-backed or index-backed depending on how they are created.
Location
AuthorizationBearer token for Elasticsearch service account authentication
service_tokens file and Elastic component configuration
Kubernetes Secrets and orchestration-managed service token stores
service token variables used by containers or Helm charts
Notes
Service account tokens are bearer secrets scoped to a service account. Rotate and invalidate tokens found in config backups or deployment logs.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.