elastic
diff --git a/‎changelog/fragments/1762465899-file-auth-httpjson-cel.yaml‎
Lines changed: 9 additions & 0 deletions b/‎changelog/fragments/1762465899-file-auth-httpjson-cel.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docs/reference/filebeat/filebeat-input-cel.md‎
Lines changed: 81 additions & 1 deletion b/‎docs/reference/filebeat/filebeat-input-cel.md‎
Lines changed: 81 additions & 1 deletion
diff --git a/‎docs/reference/filebeat/filebeat-input-httpjson.md‎
Lines changed: 86 additions & 3 deletions b/‎docs/reference/filebeat/filebeat-input-httpjson.md‎
Lines changed: 86 additions & 3 deletions
diff --git a/‎x-pack/filebeat/input/cel/config_auth.go‎
Lines changed: 56 additions & 0 deletions b/‎x-pack/filebeat/input/cel/config_auth.go‎
Lines changed: 56 additions & 0 deletions
@@ -0,0 +1,9 @@
+kind: enhancement
+summary: Add file-based auth provider for CEL and HTTP JSON inputs.
+description: |
+  The CEL and HTTP JSON inputs now support reading authentication tokens from
+  files, enabling integration with various secret providers like Vault,
+  Kubernetes secret projections, etc. Tokens are automatically refreshed based on
+  a configurable interval without requiring restarts.
+component: filebeat
+issue: https://github.com/elastic/beats/issues/47506
@@ -21,6 +21,7 @@ This input supports:
 
     * Basic
     * Digest
+    * {applies_to}`stack: ga 9.3.0` File
     * OAuth2
 
 * Retrieval at a configurable interval
@@ -271,9 +272,10 @@ Additionally, it supports authentication via:
 * Basic Authentication
 * Digest Authentication {applies_to}`stack: ga 8.12.0`
 * OAuth2
+* file-based headers {applies_to}`stack: ga 9.3.0`
 * token authentication {applies_to}`stack: ga 8.19.0, unavailable 9.0.0, ga 9.1.0`
 
-As described in Mito's [HTTP]({{mito_docs}}@{{mito_version}}/lib#HTTP) documentation, configuration for Basic Authentication or token authentication will only affect direct HEAD, GET and POST method calls, not explicity constructed requests run with `.do_request()`. Configuration for Digest Authentication or OAuth2 will be used for all requests made from CEL.
+As described in Mito's [HTTP]({{mito_docs}}@{{mito_version}}/lib#HTTP) documentation, configuration for Basic Authentication or token authentication will only affect direct HEAD, GET and POST method calls, not explicity constructed requests run with `.do_request()`. Configuration for Digest Authentication, file-based headers or OAuth2 will be used for all requests made from CEL.
 
 Example configurations with authentication:
 
@@ -317,6 +319,16 @@ filebeat.inputs:
   resource.url: http://localhost
 ```
 
+```yaml
+filebeat.inputs:
+- type: cel
+  auth.file:
+    path: /etc/elastic/token
+    prefix: "Bearer "
+    refresh_interval: 10m
+  resource.url: http://localhost
+```
+
 ```yaml
 filebeat.inputs:
 - type: cel
@@ -557,6 +569,74 @@ stack: ga 8.12.0
 When set to `true`, Digest Authentication challenges are not reused.
 
 
+### `auth.file.enabled` [_auth_file_enabled]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+When set to `false`, disables the file auth configuration. Default: `true`.
+
+::::{note}
+File auth settings are disabled if either `enabled` is set to `false` or the `auth.file` section is missing.
+::::
+
+
+### `auth.file.path` [_auth_file_path]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+The path to the file containing the authentication value. The file contents are trimmed before use. This field is required when file auth is enabled.
+
+::::{warning}
+By default, Filebeat requires the file to have `0600` permissions (read/write for owner only) and will fail to start if the file is more permissive. This security measure helps prevent unauthorized access to credentials. To allow files with different permissions, set [`relaxed_permissions`](#_auth_file_relaxed_permissions) to `true`.
+
+On Windows, POSIX-style permission checking is not enforced. Ensure file security using NTFS file permissions or Access Control Lists (ACLs).
+::::
+
+
+### `auth.file.header` [_auth_file_header]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+The request header that receives the value loaded from `path`. Defaults to `Authorization` when omitted or empty.
+
+
+### `auth.file.prefix` [_auth_file_prefix]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+An optional prefix that is prepended to the trimmed value from `path` before it is set on the request header. This is commonly used for tokens that require a leading value such as `Bearer `.
+
+
+### `auth.file.refresh_interval` [_auth_file_refresh_interval]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+How frequently Filebeat rereads the file defined by `path` to pick up changes. Defaults to `1m`. The value must be greater than zero when set.
+
+
+### `auth.file.relaxed_permissions` [_auth_file_relaxed_permissions]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+When set to `true`, allows the authentication file to have permissions other than `0600`. By default (`false`), Filebeat requires the file to have `0600` permissions and will fail to start if the file is more permissive. This security measure helps prevent unauthorized access to credentials.
+
+::::{warning}
+Setting this to `true` reduces security. Only enable this option if you understand the security implications and cannot set the file to `0600` permissions.
+::::
+
+
 ### `auth.oauth2.enabled` [_auth_oauth2_enabled]
 
 When set to `false`, disables the oauth2 configuration. Default: `true`.
 
@@ -17,8 +17,9 @@ This input supports:
 
 * Auth
 
-    * Basic
-    * OAuth2
+  * Basic
+  * {applies_to}`stack: ga 9.3.0` File
+  * OAuth2
 
 * Retrieval at a configurable interval
 * Pagination
@@ -61,7 +62,11 @@ filebeat.inputs:
         value: 5m
 ```
 
-Additionally, it supports authentication via Basic auth, HTTP Headers or oauth2.
+Additionally, it supports authentication via:
+* Basic auth
+* {applies_to}`stack: ga 9.3.0` File-based headers (`auth.file`)
+* HTTP headers
+* OAauth2
 
 Example configurations with authentication:
 
@@ -97,6 +102,16 @@ filebeat.inputs:
   request.url: http://localhost
 ```
 
+```yaml
+filebeat.inputs:
+- type: httpjson
+  auth.file:
+    path: /etc/elastic/token
+    prefix: "Bearer "
+    refresh_interval: 10m
+  request.url: http://localhost
+```
+
 ## Input state [input-state]
 
 The `httpjson` input keeps a runtime state between requests. This state can be accessed by some configuration options and transforms.
@@ -261,6 +276,74 @@ The user to authenticate with.
 The password to use.
 
 
+### `auth.file.enabled` [_auth_file_enabled_2]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+When set to `false`, disables the file auth configuration. Default: `true`.
+
+::::{note}
+File auth settings are disabled if either `enabled` is set to `false` or the `auth.file` section is missing.
+::::
+
+
+### `auth.file.path` [_auth_file_path_2]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+The path to the file that contains the authentication value. The file contents are trimmed before use. This field is required when file auth is enabled.
+
+::::{warning}
+By default, Filebeat requires the file to have `0600` permissions (read/write for owner only) and will fail to start if the file is more permissive. This security measure helps prevent unauthorized access to credentials. To allow files with different permissions, set [`relaxed_permissions`](#_auth_file_relaxed_permissions_2) to `true`.
+
+On Windows, POSIX-style permission checking is not enforced. Ensure file security using NTFS file permissions or Access Control Lists (ACLs).
+::::
+
+
+### `auth.file.header` [_auth_file_header_2]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+The request header that receives the value loaded from `path`. Defaults to `Authorization` when omitted or empty.
+
+
+### `auth.file.prefix` [_auth_file_prefix_2]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+An optional prefix that is prepended to the trimmed value from `path` before it is sent on the request header. This is commonly used for tokens that require a leading value such as `Bearer `.
+
+
+### `auth.file.refresh_interval` [_auth_file_refresh_interval_2]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+How frequently Filebeat rereads the file defined by `path` to pick up changes. Defaults to `1m`. The value must be greater than zero when set.
+
+
+### `auth.file.relaxed_permissions` [_auth_file_relaxed_permissions_2]
+
+```{applies_to}
+stack: ga 9.3.0
+```
+
+When set to `true`, allows the authentication file to have permissions other than `0600`. By default (`false`), Filebeat requires the file to have `0600` permissions and will fail to start if the file is more permissive. This security measure helps prevent unauthorized access to credentials.
+
+::::{warning}
+Setting this to `true` reduces security. Only enable this option if you understand the security implications and cannot set the file to `0600` permissions.
+::::
+
+
 ### `auth.oauth2.enabled` [_auth_oauth2_enabled_2]
 
 When set to `false`, disables the oauth2 configuration. Default: `true`.
 
@@ -14,6 +14,7 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
@@ -28,10 +29,16 @@ type authConfig struct {
 	Basic  *basicAuthConfig       `config:"basic"`
 	Token  *tokenAuthConfig       `config:"token"`
 	Digest *digestAuthConfig      `config:"digest"`
+	File   *fileAuthConfig        `config:"file"`
 	OAuth2 *oAuth2Config          `config:"oauth2"`
 	AWS    *aws.SignerInputConfig `config:"aws"`
 }
 
+const (
+	defaultFileAuthHeader          = "Authorization"
+	defaultFileAuthRefreshInterval = time.Minute
+)
+
 func (c authConfig) Validate() error {
 	var n int
 	if c.Basic.isEnabled() {
@@ -43,6 +50,9 @@ func (c authConfig) Validate() error {
 	if c.Digest.isEnabled() {
 		n++
 	}
+	if c.File.isEnabled() {
+		n++
+	}
 	if c.OAuth2.isEnabled() {
 		n++
 	}
@@ -128,6 +138,52 @@ func (d *digestAuthConfig) Validate() error {
 	return nil
 }
 
+type fileAuthConfig struct {
+	Enabled            *bool          `config:"enabled"`
+	Path               string         `config:"path"`
+	Header             string         `config:"header"`
+	Prefix             string         `config:"prefix"`
+	RefreshInterval    *time.Duration `config:"refresh_interval"`
+	RelaxedPermissions bool           `config:"relaxed_permissions"`
+}
+
+func (f *fileAuthConfig) isEnabled() bool {
+	return f != nil && (f.Enabled == nil || *f.Enabled)
+}
+
+func (f *fileAuthConfig) Validate() error {
+	if !f.isEnabled() {
+		return nil
+	}
+	if f.Path == "" {
+		return errors.New("path must be set")
+	}
+	if f.RefreshInterval != nil && (*f.RefreshInterval <= 0) {
+		return errors.New("refresh_interval must be greater than 0")
+	}
+
+	// Note: File existence check is performed later during transport initialization
+	// (in newFileAuthTransport) to allow configuration validation to complete first.
+	// This ensures proper error precedence: configuration errors (like multiple auth
+	// methods) are reported before runtime errors (like missing files).
+
+	return nil
+}
+
+func (f *fileAuthConfig) headerName() string {
+	if f == nil || strings.TrimSpace(f.Header) == "" {
+		return defaultFileAuthHeader
+	}
+	return f.Header
+}
+
+func (f *fileAuthConfig) refreshInterval() time.Duration {
+	if f == nil || f.RefreshInterval == nil {
+		return defaultFileAuthRefreshInterval
+	}
+	return *f.RefreshInterval
+}
+
 // An oAuth2Provider represents a supported oauth provider.
 type oAuth2Provider string