Using environmental variables in Open Distro security plugin configuration

Initially I put something like that in my plugins/opendistro_security/securityconfig/config.yml:

ldap:
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
              - ldap.domain.com:3268
            bind_dn: ${LDAP_BIND_DN}
            password: ${LDAP_BIND_PASSWORD}
            usersearch: '(sAMAccountName={0})'
            userbase: 'OU=Accounts and Groups,DC=domain,DC=com'
            username_attribute: 'sAMAccountName'

But even though I set those variables in ES environment, I got errors on LDAP connection with error 49, implying that credentials are not valid. When I replace the variables with actual values, it works. That’s not bad, but I want to commit this config to Git, and having secrets there is, of course, extremely undesirable. Is there any workaround?

You have to execute securityadmin.sh with the parameter --resolve-env-vars and change config.yml to

...
            bind_dn: ${env.LDAP_BIND_DN}
            password: ${env.LDAP_BIND_PASSWORD}
...
1 Like

Sorry for bumping up the topic but I have similar question but that regards configuration of security plugin in OpenSearch Dashboard - I’d like to store my client id/secret in K8S secret and then bind them to env variables of OpenSearch Dashboard pod.

I tried the answer suggested here:

opensearch_security:
    open_id:
        client_id: ${env.CLIENT_ID}

but that send a literal value “${env.CLIENT_ID}” to my OpenID provider.

I also tried to remove the property from opensearch_dashboard.yml and set env variable with key OPENSEARCH_SECURITY_OPENID_CLIENT_ID hoping that maybe it would be found to match the key from config file but in this case the dashboard redirects to OpenID provider without any clientId query param.

Is there another way to do it? Or are there plans to support something like this?