src/platform/packages/shared/kbn-connector-cli/README.md
CLI tool for bulk-creating testing connector instances in a running Kibana.
# Prerequisites
vault login --method oidc # One-time Vault authentication
yarn es snapshot # Start Elasticsearch (separate terminal)
yarn start # Start Kibana (separate terminal)
# Create all enabled connectors
node scripts/create_connectors.js
# Preview without creating anything
node scripts/create_connectors.js --dry-run
The script reads YAML manifest files from src/manifests/, fetches credentials from Vault, and calls POST /api/actions/connector for each one. Connectors are named with a (testing) suffix and the script is idempotent — re-running it skips connectors that already exist.
Each YAML file in src/manifests/ describes one connector:
# Optional: set to false to skip this manifest
enabled: false
# The connector type ID from kbn-connector-specs metadata.id
spec_id: .slack2
# Display name (must include "(testing)" suffix for idempotency matching)
name: "Slack (testing)"
# Auth type — must be one the spec actually declares in auth.types[]
auth_type: bearer
# Optional connector config fields
config:
serverUrl: "https://example.com"
# Secret fields — each is either a static value or a vault reference
secrets:
token:
vault: secret/ent-search-team/connectors-sources/slack
field: token
Static value — hardcoded directly in the manifest (for URLs, scopes, etc.):
secrets:
tokenUrl:
value: "https://accounts.google.com/o/oauth2/v2/auth"
Vault reference — fetched at runtime via vault read -field <field> <path>:
secrets:
token:
vault: secret/ent-search-team/connectors-sources/slack
field: token
Add enabled: false at the top level to skip a manifest. The script reports disabled manifests in its count but doesn't attempt to create them or fetch their secrets.
# Why disabled: waiting for vault entry (search-team#13913)
enabled: false
spec_id: .github
name: "GitHub (testing)"
...
To re-enable, remove the enabled: false line (or set it to true).
Connector type IDs have inconsistent naming. The spec_id must match the spec's metadata.id exactly — not the directory name or export name. Examples:
brave_search/ → spec ID .brave-search (hyphen, not underscore)one_password/ → spec ID .1passwordpagerduty/ → spec ID .pagerduty_mcpRun node scripts/create_connectors.js --dry-run to verify IDs are correct before creating.
api_key_header secrets use normalized field names. Instead of { headerField: "X-Api-Key", apiKey: "..." }, the API expects the header name as the key: { "X-Api-Key": "..." }. Check the spec's auth.types[].defaults.headerField for the correct key name.
authType must match the spec's declared auth types. The server validates secrets as a discriminated union on authType. If a spec declares ['bearer', 'oauth_authorization_code'], sending authType: 'oauth_client_credentials' will fail even if that auth type exists in the framework.
Legacy vs spec-based connectors may share similar names. For example, .jira is a legacy connector with a different schema than .jira-cloud (spec-based). Use the spec-based ID.
kbn-connector-specs/src/specs/ and note its metadata.idauth.types[]schema requiressrc/manifests/<name>.yaml following the format aboveenabled: false and file a vault request--dry-run, then withoutAll secrets are fetched via the vault CLI at runtime. The default vault address is https://secrets.elastic.co:8200 (override with VAULT_ADDR env var).