diff --git a/pillar/top.sls b/pillar/top.sls
index a795e03c1..80e02902e 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -46,6 +46,9 @@ base:
     - logstash.manager
     - logstash.search
     - elasticsearch.search
+{% if salt['file.exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
+    - elasticsearch.auth
+{% endif %}
     - data.*
     - zeeklogs
     - secrets
@@ -89,4 +92,4 @@ base:
     - secrets
     - elasticsearch.eval
     - global
-    - minions.{{ grains.id }}
\ No newline at end of file
+    - minions.{{ grains.id }}
diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls
new file mode 100644
index 000000000..a51abca1c
--- /dev/null
+++ b/salt/elasticsearch/auth.sls
@@ -0,0 +1,9 @@
+elastic_auth_pillar:
+  file.managed:
+    - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
+    - contents: |
+        elasticsearch:
+          auth:
+            enabled: False
+            user: so_elastic
+            pass: {{ salt['random.get_str'](20) }}
diff --git a/salt/elasticsearch/files/curl.config b/salt/elasticsearch/files/curl.config
new file mode 100644
index 000000000..e4633df6c
--- /dev/null
+++ b/salt/elasticsearch/files/curl.config
@@ -0,0 +1 @@
+user = "salt['pillar.get']('elasticsearch:auth:user'):salt['pillar.get']('elasticsearch:auth:pass')"
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 0a3ea0719..f0eee6d44 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -256,6 +256,14 @@ so-elasticsearch-templates:
     - template: jinja
 {% endif %}
 
+elastic_curl_config:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/curl.config
+    - mode: 600
+    # since we are generating a random password, and we don't want that to happen everytime
+    # a highstate runs, we only manage the file if it doesn't exist
+    - unless: ls /opt/so/conf/elasticsearch/curl.config
+
 {% endif %} {# if grains['role'] != 'so-helix' #}
 
 {% else %}