Change api-user password


I want to change the icinga api password located in: etc/icinga2/conf.d/api-users.conf

 * The APIUser objects are used for authentication against the API.
object ApiUser "root" {
password = "complicated password here"
  // client_cn = ""

  permissions = [ "*" ]

What would be affected if I change this password. I am using a distributed setup where hosts gets the configuration from the master. I also use the icinga web. Do I have to change this value on the clients too? What would be the right procedure to rotate this password?

Thank you.

Hi @cholan,

this ApiUser will not get synced to any other instance in your distributed setup, because it’s not in /etc/icinga2/zones.d/. If you want to use the API on other instances in your cluster, you could sync this ApiUser by using a global zone like global-templates.

Icinga itself doesn’t care if and how often you change this password. The only thing that would require changing the password, would be Icinga Web 2.

If you want to do this automated, you could have any config management tool change the password in /etc/icinga2/conf.d/api-users.conf on your master and in /etc/icingaweb2/modules/monitoring/commandtransports.ini on your Icinga Web 2 server. Keep in mind, that you’ll need to reload your master every time you change the password.



Due to my experience ApiUser "root" is not is use at all. It was automatically created by icinga2 node wizard for whatever reason?

Thanks a lot, just what I was looking for1

1 Like