Rotating passwords for Elasticsearch built-in users reduces the impact of leaked credentials and keeps privileged and internal-service accounts under control. Reserved accounts such as elastic and kibana_system are high-value targets because they exist on every secured cluster.
Built-in users are managed by the security subsystem, with credential data stored in the security index and replicated across the cluster. The elasticsearch-reset-password utility connects to the cluster and resets a reserved user password either by prompting for a new value or by generating a strong random password automatically.
Resetting a built-in user immediately invalidates the old password, so any dependent services must be updated to prevent authentication failures. Clusters using HTTPS on the HTTP layer typically require a trusted CA certificate for API verification, and running the reset from a host that can reach the cluster over the configured endpoint avoids connection errors during the reset process.
Steps to reset built-in user passwords in Elasticsearch:
- Identify the built-in user that needs password rotation.
Common reserved users include elastic, kibana_system, logstash_system, beats_system, apm_system, and remote_monitoring_user.
- Run the password reset tool for the target user.
$ sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -a This tool will reset the password of the [elastic] user to an autogenerated value. The password will be printed in the console. Please confirm that you would like to continue [y/N]y Password for the [elastic] user successfully reset. New value: sLH2nWSf*bzGnzBmHR33
Use -i to supply a password interactively instead of generating one.
- Update any services and clients that authenticate as the reset user.
Kibana commonly uses kibana_system credentials from /etc/kibana/kibana.yml, and ingest components (Beats, Logstash, APM) often store credentials in their configuration or secret store.
- Confirm the new password by authenticating to the Elasticsearch security API.
$ curl --silent --show-error --fail --user elastic --cacert /etc/elasticsearch/certs/http_ca.crt "https://localhost:9200/_security/_authenticate?pretty" Enter host password for user 'elastic': { "username" : "elastic", "roles" : [ "superuser" ], "full_name" : null, "email" : null, "metadata" : { "_reserved" : true }, "enabled" : true, "authentication_realm" : { "name" : "reserved", "type" : "reserved" }, "lookup_realm" : { "name" : "reserved", "type" : "reserved" }, "authentication_type" : "realm" }If the cluster uses HTTP without TLS, replace the URL with http://localhost:9200 and omit –cacert.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
