Configure the Elastic CLI
This guide covers the configuration file format, managing connection contexts with elastic config, and using external credential resolvers to keep secrets out of your config file.
Install the Elastic CLI before continuing.
The CLI looks for a config file in your home directory. The following file names are checked in order:
.elasticrc.elasticrc.json.elasticrc.yaml.elasticrc.yml
Place your config at ~/.elasticrc.yml (recommended). To use a file in a different location, pass --config-file <path> or set ELASTIC_CLI_CONFIG_FILE. The flag takes precedence over the environment variable.
current_context: local
contexts:
local:
elasticsearch:
url: http://localhost:9200
auth:
api_key: your-api-key-here
kibana:
url: http://localhost:5601
auth:
api_key: your-api-key-here
staging:
elasticsearch:
url: https://my-cluster.es.us-east-1.aws.elastic.cloud
auth:
api_key: your-api-key-here
cloud:
url: https://api.elastic-cloud.com
auth:
api_key: your-cloud-api-key-here
Multiple contexts are supported. Override current_context for a single command with --use-context <name>.
Each context can have any combination of service blocks (elasticsearch, kibana, and cloud). Authentication supports api_key or username + password.
Instead of hand-editing YAML, the elastic config command group creates and maintains contexts and stores secrets in the OS keychain when available (macOS Keychain, Linux libsecret, pass, Windows Credential Manager). The YAML then holds a resolver expression like $(keychain:...) rather than the raw secret.
# Add a new context (API key goes to the keychain)
elastic config context add local \
--es-url http://localhost:9200 \
--es-api-key your-api-key
# List contexts
elastic config context list
# Switch the active context
elastic config current-context set staging
# Patch an existing context
elastic config context edit local --es-url http://localhost:9201
# Open the context as YAML in $EDITOR
elastic config context edit local
# Remove a context (keychain entries are cleaned up)
elastic config context remove old-lab
If no OS keychain is available or you pass --inline-secrets, the secret is written inline and the file is chmod 0600. The CLI emits a warning when a loaded config has inline secrets at looser-than-0600 permissions.
Run elastic status to check connectivity and authentication for all services in the active context:
elastic status
The command reports the result for each configured service (elasticsearch, kibana, cloud). Services not present in the active context are skipped, not treated as failures.
For agent and LLM workflows, serverless projects create and reset-credentials accept --save-as <context> to avoid leaking admin credentials through stdout:
elastic cloud serverless es projects create --wait --save-as scratch \
--name scratch-es --region-id aws-us-east-1
# stdout has endpoints + a `savedAs: scratch` marker, password is redacted.
# The keychain now holds scratch:elasticsearch.auth.password etc.
elastic --use-context scratch stack es indices list
# Rotate credentials; URL stays, only the password moves.
elastic cloud serverless es projects reset-credentials --id <id> \
--save-as scratch --force
--credentials-file <path> writes a standalone YAML config fragment (0600) at <path> instead of mutating the main config. Both flags make stdout safe to capture into an LLM transcript.
Any string value in the config file can use $(resolver:params) expressions to fetch secrets from external sources at runtime.
Review config files before using them if you didn't write them yourself. The $(cmd:...) and $(file:...) resolvers run programs and read files on your behalf. This applies especially to CI/CD environments where a repo-checked-in config (for example, via ELASTIC_CLI_CONFIG_FILE) can run arbitrary commands on the runner.
file-
Reads the contents of a file (trimmed). Useful for Docker/Kubernetes secrets mounted at
/run/secrets/.auth: api_key: $(file:/run/secrets/elastic_api_key) env-
Reads an environment variable.
auth: api_key: $(env:ELASTIC_API_KEY) cmd-
Executes a shell command and uses its stdout (trimmed) as the value.
auth: api_key: $(cmd:pass show elastic/api-key) keychain(macOS only)-
Reads a password from the macOS Keychain using
service/accountformat.auth: api_key: $(keychain:elastic-cli/api-key)To store a value:
security add-generic-password -s elastic-cli -a api-key -w secret_service(Linux only)-
Reads a secret from GNOME Keyring or KWallet via
secret-tool.auth: api_key: $(secret_service:elastic-cli/api-key)To store a value:
secret-tool store --label='Elastic API Key' service elastic-cli account api-key pass(cross-platform)-
Reads the first line from
pass show. Works on Linux, macOS, and Windows (WSL).auth: api_key: $(pass:elastic/api-key)To store a value:
pass insert elastic/api-key credential_manager(Windows only)-
Reads a credential from Windows Credential Manager. Requires the
CredentialManagerPowerShell module.auth: api_key: $(credential_manager:elastic-cli/api-key)To store a value:
New-StoredCredential -Target elastic-cli/api-key -UserName _ -Password <key>
Expressions can appear in any string field, including URLs:
elasticsearch:
url: https://$(env:ES_HOST):9200
auth:
api_key: $(keychain:elastic-cli/api-key)
- Run
elastic --helpto explore available commands. - Use
elastic cloud serverlessorelastic cloud hostedto manage Elastic Cloud resources. - See the CLI command reference for the full list of available commands.