Cloud IAM E2E Validation
Validates Cloud IAM authentication for Elasticsearch and Kibana with Aliyun RAM credentials.
Quick Start
# Validate both ES and Kibana export RAM_AK="your-access-key" export RAM_SK="your-secret-key" cloud-iam-e2e validate --check-type=both # Validate only Elasticsearch cloud-iam-e2e validate --check-type=es # Validate only Kibana cloud-iam-e2e validate --check-type=kibana # Run Playwright browser tests cloud-iam-e2e test-ui # Full validation with UI tests cloud-iam-e2e validate-all
Parameters
All commands accept these parameters (via environment variables or command-line):
| Parameter | Default | Description |
|---|---|---|
ES_URL | http://47.236.247.55:9201 | Elasticsearch URL |
KB_URL | http://47.236.247.55:5602 | Kibana URL |
RAM_AK | (required) | Aliyun Access Key ID |
RAM_SK | (required) | Aliyun Access Key Secret |
CHECK_TYPE | both | es, kibana, or both |
Commands
validate
Runs core validation tests (connectivity, authentication, role mappings).
Usage:
cloud-iam-e2e validate [options]
Tests performed:
- •Elasticsearch connectivity
- •Kibana connectivity (if CHECK_TYPE includes kibana)
- •Signed header generation
- •Elasticsearch Cloud IAM authentication
- •Kibana Cloud IAM provider availability
- •Kibana Cloud IAM login (if CHECK_TYPE includes kibana)
- •Role mapping verification
Output: JSON report with pass/fail status for each test.
test-ui
Runs Playwright browser-based UI tests.
Usage:
cloud-iam-e2e test-ui
Tests performed:
- •Login page displays Cloud IAM provider
- •Cloud IAM authentication flow
- •Session management
- •User profile display
- •Feature access (Discover, Dashboards)
- •Error handling
Requirements:
- •Node.js and npm installed
- •Playwright browsers installed (
npx playwright install)
validate-all
Runs both core validation and UI tests.
Usage:
cloud-iam-e2e validate-all
Validation Reports
Core Validation Report
JSON structure:
{
"timestamp": "2026-01-24T20:00:00Z",
"es_url": "http://47.236.247.55:9201",
"kb_url": "http://47.236.247.55:5602",
"check_type": "both",
"tests": [
{
"name": "es_running",
"status": "pass|fail|skip",
"message": "Description",
"details": {}
}
],
"summary": {
"total": 7,
"passed": 6,
"failed": 1,
"skipped": 0
}
}
Playwright Report
JSON structure with test suites, specs, and results.
Troubleshooting
Common Failures
es_running fails:
- •Verify Elasticsearch is running:
curl $ES_URL/ - •Check firewall rules
- •Verify network binding (0.0.0.0 vs 127.0.0.1)
kb_running fails:
- •Verify Kibana is running:
curl $KB_URL/ - •Check Kibana logs for startup errors
- •Ensure Elasticsearch is accessible from Kibana
generate_signed_header fails:
- •Verify RAM credentials are valid
- •Check Python 3 is installed
- •Verify signature script exists
es_cloud_iam_auth fails:
- •Verify Cloud IAM realm is configured in Elasticsearch
- •Check realm name matches (default:
iam1) - •Verify Aliyun STS endpoint is accessible
kb_cloud_iam_login fails:
- •Verify Cloud IAM provider is configured in
kibana.yml - •Check provider realm name matches ES realm
- •Verify Elasticsearch credentials in Kibana config
Debug Mode
Enable verbose output:
export DEBUG=1 cloud-iam-e2e validate
Save detailed reports:
export SAVE_REPORT=1 cloud-iam-e2e validate
Integration with CI/CD
Example GitHub Actions workflow:
- name: Validate Cloud IAM
env:
RAM_AK: ${{ secrets.RAM_AK }}
RAM_SK: ${{ secrets.RAM_SK }}
ES_URL: http://elasticsearch:9201
KB_URL: http://kibana:5602
run: cloud-iam-e2e validate-all
References
See references/config.md for:
- •Elasticsearch realm configuration
- •Kibana provider configuration
- •Role mapping examples
- •Common troubleshooting scenarios