elastic · seanrathier · Jan 29, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
@@ -75,7 +75,7 @@ pageLoadAssetSize:
   files: 6037
   filesManagement: 5208
   fileUpload: 22957
-  fleet: 187942
+  fleet: 209495
   genAiSettings: 5663
   globalSearch: 6890
   globalSearchBar: 26986

@@ -92,8 +92,31 @@ export {
   getFileDataIndexName,
   removeSOAttributes,
   getSortConfig,
+  // Cloud Connector accessor functions
+  getCredentialStorageScope,
+  resolveVarTarget,
+  applyVarsAtTarget,
+  extractRawCredentialVars,
+  readCredentials,
+  writeCredentials,
+  getVarTarget,
+  getCredentialSchema,
+  getAllVarKeys,
+  getAllSupportedVarNames,
+  findFirstVarEntry,
 } from './services';
 
+export type {
+  // Cloud Connector accessor types
+  CloudConnectorVarStorageMode,
+  CloudConnectorVarTarget,
+  CloudConnectorCredentialSchema,
+  ResolvedVarTarget,
+  NormalizedAwsCredentials,
+  NormalizedAzureCredentials,
+  NormalizedCloudConnectorCredentials,
+} from './services/cloud_connectors';
+
 export type { FleetAuthz } from './authz';
 export type {
   // Request/Response

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Sentinel value indicating an index was not found (e.g., from findIndex returning -1)
+ */
+export const INVALID_INDEX = -1;
@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// Types
+export type {
+  CloudConnectorVarStorageMode,
+  CloudConnectorVarTarget,
+  CloudConnectorVarKeyMapping,
+  CloudConnectorCredentialSchema,
+  ResolvedVarTarget,
+  NormalizedAwsCredentials,
+  NormalizedAzureCredentials,
+  NormalizedGcpCredentials,
+  NormalizedCloudConnectorCredentials,
+} from './types';
+
+// Constants
+export { INVALID_INDEX } from './constants';
+
+// Schemas
+export {
+  AWS_CREDENTIAL_SCHEMA,
+  AZURE_CREDENTIAL_SCHEMA,
+  GCP_CREDENTIAL_SCHEMA,
+  CREDENTIAL_SCHEMAS,
+  getCredentialSchema,
+  getAllVarKeys,
+  getAllSupportedVarNames,
+} from './schemas';
+
+// Accessor functions
+export {
+  getCredentialStorageScope,
+  resolveVarTarget,
+  applyVarsAtTarget,
+  extractRawCredentialVars,
+  readCredentials,
+  writeCredentials,
+  getVarTarget,
+  findFirstVarEntry,
+} from './var_accessor';
@@ -0,0 +1,147 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  AWS_CREDENTIAL_SCHEMA,
+  AZURE_CREDENTIAL_SCHEMA,
+  GCP_CREDENTIAL_SCHEMA,
+  CREDENTIAL_SCHEMAS,
+  getCredentialSchema,
+  getAllVarKeys,
+  getAllSupportedVarNames,
+} from './schemas';
+
+describe('Cloud Connector Schemas', () => {
+  describe('AWS_CREDENTIAL_SCHEMA', () => {
+    it('should have correct provider', () => {
+      expect(AWS_CREDENTIAL_SCHEMA.provider).toBe('aws');
+    });
+
+    it('should have roleArn field with correct keys', () => {
+      const { roleArn } = AWS_CREDENTIAL_SCHEMA.fields;
+      expect(roleArn.primary).toBe('role_arn');
+      expect(roleArn.aliases).toContain('aws.role_arn');
+      expect(roleArn.isSecret).toBe(false);
+    });
+
+    it('should have externalId field with correct keys', () => {
+      const { externalId } = AWS_CREDENTIAL_SCHEMA.fields;
+      expect(externalId.primary).toBe('external_id');
+      expect(externalId.aliases).toContain('aws.credentials.external_id');
+      expect(externalId.isSecret).toBe(true);
+    });
+  });
+
+  describe('AZURE_CREDENTIAL_SCHEMA', () => {
+    it('should have correct provider', () => {
+      expect(AZURE_CREDENTIAL_SCHEMA.provider).toBe('azure');
+    });
+
+    it('should have tenantId field with correct keys', () => {
+      const { tenantId } = AZURE_CREDENTIAL_SCHEMA.fields;
+      expect(tenantId.primary).toBe('tenant_id');
+      expect(tenantId.aliases).toContain('azure.credentials.tenant_id');
+      expect(tenantId.isSecret).toBe(true);
+    });
+
+    it('should have clientId field with correct keys', () => {
+      const { clientId } = AZURE_CREDENTIAL_SCHEMA.fields;
+      expect(clientId.primary).toBe('client_id');
+      expect(clientId.aliases).toContain('azure.credentials.client_id');
+      expect(clientId.isSecret).toBe(true);
+    });
+
+    it('should have azureCredentialsCloudConnectorId field with correct keys', () => {
+      const { azureCredentialsCloudConnectorId } = AZURE_CREDENTIAL_SCHEMA.fields;
+      expect(azureCredentialsCloudConnectorId.primary).toBe('azure_credentials_cloud_connector_id');
+      expect(azureCredentialsCloudConnectorId.isSecret).toBe(false);
+    });
+  });
+
+  describe('GCP_CREDENTIAL_SCHEMA', () => {
+    it('should have correct provider', () => {
+      expect(GCP_CREDENTIAL_SCHEMA.provider).toBe('gcp');
+    });
+
+    it('should have stub fields for future implementation', () => {
+      expect(GCP_CREDENTIAL_SCHEMA.fields.projectId).toBeDefined();
+      expect(GCP_CREDENTIAL_SCHEMA.fields.serviceAccountKey).toBeDefined();
+    });
+  });
+
+  describe('CREDENTIAL_SCHEMAS', () => {
+    it('should contain all provider schemas', () => {
+      expect(CREDENTIAL_SCHEMAS.aws).toBe(AWS_CREDENTIAL_SCHEMA);
+      expect(CREDENTIAL_SCHEMAS.azure).toBe(AZURE_CREDENTIAL_SCHEMA);
+      expect(CREDENTIAL_SCHEMAS.gcp).toBe(GCP_CREDENTIAL_SCHEMA);
+    });
+  });
+
+  describe('getCredentialSchema', () => {
+    it('should return AWS schema for aws provider', () => {
+      const schema = getCredentialSchema('aws');
+      expect(schema).toBe(AWS_CREDENTIAL_SCHEMA);
+    });
+
+    it('should return Azure schema for azure provider', () => {
+      const schema = getCredentialSchema('azure');
+      expect(schema).toBe(AZURE_CREDENTIAL_SCHEMA);
+    });
+
+    it('should return GCP schema for gcp provider', () => {
+      const schema = getCredentialSchema('gcp');
+      expect(schema).toBe(GCP_CREDENTIAL_SCHEMA);
+    });
+
+    it('should throw for unknown provider', () => {
+      expect(() => getCredentialSchema('unknown' as any)).toThrow('Unknown cloud provider');
+    });
+  });
+
+  describe('getAllVarKeys', () => {
+    it('should return primary and all aliases', () => {
+      const keys = getAllVarKeys(AWS_CREDENTIAL_SCHEMA.fields.roleArn);
+      expect(keys).toContain('role_arn');
+      expect(keys).toContain('aws.role_arn');
+      expect(keys.length).toBe(2);
+    });
+
+    it('should include all Azure tenant_id keys', () => {
+      const keys = getAllVarKeys(AZURE_CREDENTIAL_SCHEMA.fields.tenantId);
+      expect(keys).toContain('tenant_id');
+      expect(keys).toContain('azure.credentials.tenant_id');
+    });
+  });
+
+  describe('getAllSupportedVarNames', () => {
+    it('should include all credential var names from all providers', () => {
+      const allVarNames = getAllSupportedVarNames();
+
+      // AWS vars
+      expect(allVarNames).toContain('role_arn');
+      expect(allVarNames).toContain('aws.role_arn');
+      expect(allVarNames).toContain('external_id');
+      expect(allVarNames).toContain('aws.credentials.external_id');
+
+      // Azure vars
+      expect(allVarNames).toContain('tenant_id');
+      expect(allVarNames).toContain('azure.credentials.tenant_id');
+      expect(allVarNames).toContain('client_id');
+      expect(allVarNames).toContain('azure.credentials.client_id');
+      expect(allVarNames).toContain('azure_credentials_cloud_connector_id');
+
+      // GCP vars
+      expect(allVarNames).toContain('project_id');
+      expect(allVarNames).toContain('service_account_key');
+    });
+
+    it('should return a non-empty array', () => {
+      const allVarNames = getAllSupportedVarNames();
+      expect(allVarNames.length).toBeGreaterThan(0);
+    });
+  });
+});
@@ -0,0 +1,134 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  ROLE_ARN_VAR_NAME,
+  EXTERNAL_ID_VAR_NAME,
+  AWS_ROLE_ARN_VAR_NAME,
+  AWS_CREDENTIALS_EXTERNAL_ID_VAR_NAME,
+  TENANT_ID_VAR_NAME,
+  CLIENT_ID_VAR_NAME,
+  AZURE_TENANT_ID_VAR_NAME,
+  AZURE_CLIENT_ID_VAR_NAME,
+  AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID,
+  AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID_VAR_NAME,
+} from '../../constants/cloud_connector';
+
+import type { CloudProvider } from '../../types/models/cloud_connector';
+
+import type { CloudConnectorCredentialSchema, CloudConnectorVarKeyMapping } from './types';
+
+/**
+ * AWS cloud connector credential schema
+ * Maps logical field names to their actual var key names used in package policies
+ */
+export const AWS_CREDENTIAL_SCHEMA: CloudConnectorCredentialSchema = {
+  provider: 'aws',
+  fields: {
+    roleArn: {
+      primary: ROLE_ARN_VAR_NAME, // 'role_arn'
+      aliases: [AWS_ROLE_ARN_VAR_NAME], // 'aws.role_arn'
+      isSecret: false,
+    },
+    externalId: {
+      primary: EXTERNAL_ID_VAR_NAME, // 'external_id'
+      aliases: [AWS_CREDENTIALS_EXTERNAL_ID_VAR_NAME], // 'aws.credentials.external_id'
+      isSecret: true,
+    },
+  },
+};
+
+/**
+ * Azure cloud connector credential schema
+ * Maps logical field names to their actual var key names used in package policies
+ */
+export const AZURE_CREDENTIAL_SCHEMA: CloudConnectorCredentialSchema = {
+  provider: 'azure',
+  fields: {
+    tenantId: {
+      primary: TENANT_ID_VAR_NAME, // 'tenant_id'
+      aliases: [AZURE_TENANT_ID_VAR_NAME], // 'azure.credentials.tenant_id'
+      isSecret: true,
+    },
+    clientId: {
+      primary: CLIENT_ID_VAR_NAME, // 'client_id'
+      aliases: [AZURE_CLIENT_ID_VAR_NAME], // 'azure.credentials.client_id'
+      isSecret: true,
+    },
+    azureCredentialsCloudConnectorId: {
+      primary: AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID, // 'azure_credentials_cloud_connector_id'
+      aliases: [AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID_VAR_NAME], // 'azure.credentials.azure_credentials_cloud_connector_id'
+      isSecret: false,
+    },
+  },
+};
+
+/**
+ * GCP cloud connector credential schema (stub for future implementation)
+ */
+export const GCP_CREDENTIAL_SCHEMA: CloudConnectorCredentialSchema = {
+  provider: 'gcp',
+  fields: {
+    projectId: {
+      primary: 'project_id',
+      aliases: ['gcp.project_id'],
+      isSecret: false,
+    },
+    serviceAccountKey: {
+      primary: 'service_account_key',
+      aliases: ['gcp.credentials.service_account_key'],
+      isSecret: true,
+    },
+  },
+};
+
+/**
+ * Map of provider to credential schema
+ */
+export const CREDENTIAL_SCHEMAS: Record<CloudProvider, CloudConnectorCredentialSchema> = {
+  aws: AWS_CREDENTIAL_SCHEMA,
+  azure: AZURE_CREDENTIAL_SCHEMA,
+  gcp: GCP_CREDENTIAL_SCHEMA,
+};
+
+/**
+ * Get the credential schema for a given cloud provider
+ * @param provider - The cloud provider
+ * @returns The credential schema for the provider
+ */
+export function getCredentialSchema(provider: CloudProvider): CloudConnectorCredentialSchema {
+  const schema = CREDENTIAL_SCHEMAS[provider];
+  if (!schema) {
+    throw new Error(`Unknown cloud provider: ${provider}`);
+  }
+  return schema;
+}
+
+/**
+ * Get all var keys (primary + aliases) for a given field mapping
+ * @param mapping - The var key mapping
+ * @returns Array of all possible var key names
+ */
+export function getAllVarKeys(mapping: CloudConnectorVarKeyMapping): string[] {
+  return [mapping.primary, ...mapping.aliases];
+}
+
+/**
+ * Get all supported cloud connector var names across all providers
+ * Used for detecting storage mode based on package info vars
+ */
+export function getAllSupportedVarNames(): string[] {
+  const allVarNames: string[] = [];
+
+  for (const schema of Object.values(CREDENTIAL_SCHEMAS)) {
+    for (const fieldMapping of Object.values(schema.fields)) {
+      allVarNames.push(fieldMapping.primary, ...fieldMapping.aliases);
+    }
+  }
+
+  return allVarNames;
+}