From bf9714f8e5269053ee95b16d4e61c2def8d5cf8c Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Fri, 26 Sep 2025 12:14:56 +0200 Subject: [PATCH 1/4] Enrollment tokens: add details about outputs other than ES --- reference/fleet/fleet-enrollment-tokens.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/reference/fleet/fleet-enrollment-tokens.md b/reference/fleet/fleet-enrollment-tokens.md index e949e01459..e1c361f9ab 100644 --- a/reference/fleet/fleet-enrollment-tokens.md +++ b/reference/fleet/fleet-enrollment-tokens.md @@ -8,19 +8,27 @@ products: # Fleet enrollment tokens [fleet-enrollment-tokens] -A {{fleet}} enrollment token (referred to as an `enrollment API key` in the {{fleet}} API documentation) is an {{es}} API key that you use to enroll one or more {{agent}}s in {{fleet}}. The enrollment token enrolls the {{agent}} in a specific agent policy that defines the data to be collected by the agent. You can use the token as many times as required. It will remain valid until you revoke it. +A {{fleet}} enrollment token (referred to as an `enrollment API key` in the {{fleet}} API documentation) is an {{es}} API key that you use to enroll one or more {{agent}}s in {{fleet}}. The enrollment token enrolls the {{agent}} in a specific agent policy that defines the data to be collected by the agent and the output to use. You can use the token as many times as needed. It will remain valid until you revoke it. -The enrollment token is used for the initial communication between {{agent}} and {{fleet-server}}. After the initial connection request from the {{agent}}, the {{fleet-server}} passes two API keys to the {{agent}}: - -* An output API key +The enrollment token is used for the initial communication between {{agent}} and {{fleet-server}}. After the initial connection request from the {{agent}}, the {{fleet-server}} passes a communication API key to the {{agent}}. This API key includes only the necessary permissions to communicate with the {{fleet-server}}. If the API key is invalid, {{fleet-server}} stops communicating with the {{agent}}. +Depending on the output of the agent policy with which the enrollment token is associated, the {{fleet-server}} also passes additional data to the {{agent}}: + +* For the {{es}} and remote {{es}} outputs, it passes an output API key. + This API key is used to send data to {{es}}. It has the minimal permissions needed to ingest all the data specified by the agent policy. If the API key is invalid, the {{agent}} stops ingesting data into {{es}}. -* A communication API key +* For the Kafka output, it passes authentication parameters. + + The authentication parameters are defined in the authentication settings of the Kafka output and are used by the {{agent}} to connect to Kafka. - This API key is used to communicate with the {{fleet-server}}. It has only the permissions needed to communicate with the {{fleet-server}}. If the API key is invalid, {{fleet-server}} stops communicating with the {{agent}}. +* For the {{ls}} output, it passes SSL/TLS configuration details. + The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during the Logstash output creation and are used by the {{agent}} to connect to Logstash. +:::{note} +Although an API key is generated during the {{ls}} output creation, this key is not passed to the {{agent}} by the {{fleet-server}}. +::: ## Create enrollment tokens [create-fleet-enrollment-tokens] From f653a22011b0932a4b962bddffa50d110ded2252 Mon Sep 17 00:00:00 2001 From: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> Date: Mon, 29 Sep 2025 10:00:44 +0200 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- reference/fleet/fleet-enrollment-tokens.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/fleet/fleet-enrollment-tokens.md b/reference/fleet/fleet-enrollment-tokens.md index e1c361f9ab..57fc0b6870 100644 --- a/reference/fleet/fleet-enrollment-tokens.md +++ b/reference/fleet/fleet-enrollment-tokens.md @@ -8,7 +8,7 @@ products: # Fleet enrollment tokens [fleet-enrollment-tokens] -A {{fleet}} enrollment token (referred to as an `enrollment API key` in the {{fleet}} API documentation) is an {{es}} API key that you use to enroll one or more {{agent}}s in {{fleet}}. The enrollment token enrolls the {{agent}} in a specific agent policy that defines the data to be collected by the agent and the output to use. You can use the token as many times as needed. It will remain valid until you revoke it. +A {{fleet}} enrollment token (referred to as an `enrollment API key` in the {{fleet}} API documentation) is an {{es}} API key that you use to enroll one or more {{agent}}s in {{fleet}}. The enrollment token enrolls the {{agent}} in a specific agent policy that defines the data to be collected by the agent and which output to use. You can use the token as many times as needed. It will remain valid until you revoke it. The enrollment token is used for the initial communication between {{agent}} and {{fleet-server}}. After the initial connection request from the {{agent}}, the {{fleet-server}} passes a communication API key to the {{agent}}. This API key includes only the necessary permissions to communicate with the {{fleet-server}}. If the API key is invalid, {{fleet-server}} stops communicating with the {{agent}}. @@ -24,7 +24,7 @@ Depending on the output of the agent policy with which the enrollment token is a * For the {{ls}} output, it passes SSL/TLS configuration details. - The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during the Logstash output creation and are used by the {{agent}} to connect to Logstash. + The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during {{ls}} output creation and are used by the {{agent}} to connect to {{ls}}. :::{note} Although an API key is generated during the {{ls}} output creation, this key is not passed to the {{agent}} by the {{fleet-server}}. From 8e01e6e21904802593a6633cdcfb59fc83bc8fd7 Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Mon, 29 Sep 2025 10:10:52 +0200 Subject: [PATCH 3/4] Updates based on review --- reference/fleet/fleet-enrollment-tokens.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/reference/fleet/fleet-enrollment-tokens.md b/reference/fleet/fleet-enrollment-tokens.md index 57fc0b6870..cdadf518b9 100644 --- a/reference/fleet/fleet-enrollment-tokens.md +++ b/reference/fleet/fleet-enrollment-tokens.md @@ -10,24 +10,24 @@ products: A {{fleet}} enrollment token (referred to as an `enrollment API key` in the {{fleet}} API documentation) is an {{es}} API key that you use to enroll one or more {{agent}}s in {{fleet}}. The enrollment token enrolls the {{agent}} in a specific agent policy that defines the data to be collected by the agent and which output to use. You can use the token as many times as needed. It will remain valid until you revoke it. -The enrollment token is used for the initial communication between {{agent}} and {{fleet-server}}. After the initial connection request from the {{agent}}, the {{fleet-server}} passes a communication API key to the {{agent}}. This API key includes only the necessary permissions to communicate with the {{fleet-server}}. If the API key is invalid, {{fleet-server}} stops communicating with the {{agent}}. +The enrollment token is used for the initial communication between {{agent}} and {{fleet-server}}. After the initial connection request from {{agent}}, {{fleet-server}} passes a communication API key to the agent. This API key includes only the necessary permissions to communicate with {{fleet-server}}. If the API key is invalid, {{fleet-server}} stops communicating with {{agent}}. -Depending on the output of the agent policy with which the enrollment token is associated, the {{fleet-server}} also passes additional data to the {{agent}}: +Depending on the output of the agent policy with which the enrollment token is associated, {{fleet-server}} also passes additional data to {{agent}}: * For the {{es}} and remote {{es}} outputs, it passes an output API key. - This API key is used to send data to {{es}}. It has the minimal permissions needed to ingest all the data specified by the agent policy. If the API key is invalid, the {{agent}} stops ingesting data into {{es}}. + This API key is used to send data to {{es}}. It has the minimal permissions needed to ingest all the data specified by the agent policy. If the API key is invalid, {{agent}} stops ingesting data into {{es}}. * For the Kafka output, it passes authentication parameters. - The authentication parameters are defined in the authentication settings of the Kafka output and are used by the {{agent}} to connect to Kafka. + The authentication parameters are defined in the authentication settings of the Kafka output and are used by {{agent}} to connect to Kafka. * For the {{ls}} output, it passes SSL/TLS configuration details. - The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during {{ls}} output creation and are used by the {{agent}} to connect to {{ls}}. + The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during {{ls}} output creation and are used by {{agent}} to connect to {{ls}}. :::{note} -Although an API key is generated during the {{ls}} output creation, this key is not passed to the {{agent}} by the {{fleet-server}}. +Although an API key is generated during {{ls}} output creation, this key is not passed to {{agent}} by {{fleet-server}}. ::: ## Create enrollment tokens [create-fleet-enrollment-tokens] From 9327d488602d52c071b694889175e2d4de11f5fa Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Tue, 30 Sep 2025 10:44:44 +0200 Subject: [PATCH 4/4] Address review comments --- reference/fleet/fleet-enrollment-tokens.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/reference/fleet/fleet-enrollment-tokens.md b/reference/fleet/fleet-enrollment-tokens.md index cdadf518b9..52abaf9bd1 100644 --- a/reference/fleet/fleet-enrollment-tokens.md +++ b/reference/fleet/fleet-enrollment-tokens.md @@ -20,14 +20,14 @@ Depending on the output of the agent policy with which the enrollment token is a * For the Kafka output, it passes authentication parameters. - The authentication parameters are defined in the authentication settings of the Kafka output and are used by {{agent}} to connect to Kafka. + The authentication parameters are defined in the authentication settings of the Kafka output and are used by {{agent}} to authenticate with the Kafka cluster before sending data to it. * For the {{ls}} output, it passes SSL/TLS configuration details. - The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during {{ls}} output creation and are used by {{agent}} to connect to {{ls}}. + The SSL/TLS configuration details such as the SSL certificate authority, the SSL certificate, and the SSL certificate key are defined during {{ls}} output creation. {{agent}} uses SSL/TLS client authentication to authenticate with the {{ls}} pipeline before sending data to it. :::{note} -Although an API key is generated during {{ls}} output creation, this key is not passed to {{agent}} by {{fleet-server}}. +Although an API key is generated during {{ls}} output creation, this key is not passed to {{agent}} by {{fleet-server}}. If the {{ls}} pipeline uses the {{es}} output, this API key is used by {{ls}} to authenticate with the {{es}} cluster before sending data to it. ::: ## Create enrollment tokens [create-fleet-enrollment-tokens]