Create API key API
editCreate API key API
editCreates an API key for access without requiring basic authentication.
Prerequisites
edit-
To use this API, you must have at least the
manage_own_api_key
cluster privilege.
If the credential that is used to authenticate this request is
an API key, the derived API key cannot have any privileges. If you specify privileges, the API returns an error.
See the note under role_descriptors
.
Description
editThe API keys are created by the Elasticsearch API key service, which is automatically enabled. For instructions on disabling the API key service, see API key service settings.
A successful request returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds.
By default, API keys never expire. You can specify expiration information when you create the API keys.
See API key service settings for configuration settings related to API key service.
Request body
editThe following parameters can be specified in the body of a POST or PUT request:
-
name
- (Required, string) Specifies the name for this API key.
-
role_descriptors
-
(Optional, object) The role descriptors for this API key. This parameter is optional. When it is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors then the resultant permissions would be an intersection of API keys permissions and authenticated user’s permissions thereby limiting the access scope for API keys.
Due to the way in which this permission intersection is calculated, it is not possible to create an API key that is a child of another API key, unless the derived key is created without any privileges. In this case, you must explicitly specify a role descriptor with no privileges. The derived API key can be used for authentication; it will not have authority to call Elasticsearch APIs.
-
applications
-
(list) A list of application privilege entries.
-
application
(required) - (string) The name of the application to which this entry applies
-
privileges
(required) - (list) A list of strings, where each element is the name of an application privilege or action.
-
resources
(required) - (list) A list resources to which the privileges are applied.
-
-
cluster
- (list) A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
-
global
- (object) An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. This field is optional.
-
indices
-
(list) A list of indices permissions entries.
-
field_security
- (object) The document fields that the API keys have read access to. For more information, see Setting up field and document level security.
-
names
(required) - (list) A list of indices (or index name patterns) to which the permissions in this entry apply.
-
privileges
(required) - (list) The index level privileges that the API keys have on the specified indices.
-
query
- A search query that defines the documents the API keys have read access to. A document within the specified indices must match this query in order for it to be accessible by the API keys.
-
-
metadata
-
(object) Optional meta-data. Within the
metadata
object, keys that begin with_
are reserved for system usage. -
restriction
-
(object) Optional restriction for when the role descriptor is allowed to be effective. For more information, see Role restriction.
-
workflows
-
(list) A list of workflows to which the API key is restricted. For a full list see Workflows.
In order to use role restriction, an API key must be created with a single role descriptor.
-
-
run_as
- (list) A list of users that the API keys can impersonate. For more information, see Submitting requests on behalf of other users.
-
-
expiration
- (Optional, string) Expiration time for the API key. By default, API keys never expire.
-
metadata
-
(Optional, object) Arbitrary metadata that you want to associate with the API key.
It supports nested data structure.
Within the
metadata
object, keys beginning with_
are reserved for system usage.
Examples
editThe following example creates an API key:
resp = client.security.create_api_key( name="my-api-key", expiration="1d", role_descriptors={ "role-a": { "cluster": [ "all" ], "indices": [ { "names": [ "index-a*" ], "privileges": [ "read" ] } ] }, "role-b": { "cluster": [ "all" ], "indices": [ { "names": [ "index-b*" ], "privileges": [ "all" ] } ] } }, metadata={ "application": "my-application", "environment": { "level": 1, "trusted": True, "tags": [ "dev", "staging" ] } }, ) print(resp)
const response = await client.security.createApiKey({ name: "my-api-key", expiration: "1d", role_descriptors: { "role-a": { cluster: ["all"], indices: [ { names: ["index-a*"], privileges: ["read"], }, ], }, "role-b": { cluster: ["all"], indices: [ { names: ["index-b*"], privileges: ["all"], }, ], }, }, metadata: { application: "my-application", environment: { level: 1, trusted: true, tags: ["dev", "staging"], }, }, }); console.log(response);
POST /_security/api_key { "name": "my-api-key", "expiration": "1d", "role_descriptors": { "role-a": { "cluster": ["all"], "indices": [ { "names": ["index-a*"], "privileges": ["read"] } ] }, "role-b": { "cluster": ["all"], "indices": [ { "names": ["index-b*"], "privileges": ["all"] } ] } }, "metadata": { "application": "my-application", "environment": { "level": 1, "trusted": true, "tags": ["dev", "staging"] } } }
Optional expiration for the API key being generated. If expiration is not provided then the API keys do not expire. |
|
Optional role descriptors for this API key. If not provided, permissions of the authenticated user are applied. |
A successful call returns a JSON structure that provides API key information.
{ "id": "VuaCfGcBCdbkQm-e5aOx", "name": "my-api-key", "expiration": 1544068612110, "api_key": "ui2lp2axTNmsyakw9tvNnw", "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" }
Unique |
|
Optional expiration in milliseconds for this API key |
|
Generated API key |
|
API key credentials which is the Base64-encoding of the UTF-8
representation of the |
To use the generated API key, send a request with an Authorization
header that
contains an ApiKey
prefix followed by the API key credentials
(the encoded
value from the response).
curl -H "Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" \ https://127.0.0.1:9200/_cluster/health\?pretty
If your node has |
On a Unix-like system, the encoded
value can be created with the following
command:
The following example creates an API key with a restriction to the search_application_query
workflow,
which allows to call only Search Application Search API:
resp = client.security.create_api_key( name="my-restricted-api-key", role_descriptors={ "my-restricted-role-descriptor": { "indices": [ { "names": [ "my-search-app" ], "privileges": [ "read" ] } ], "restriction": { "workflows": [ "search_application_query" ] } } }, ) print(resp)
const response = await client.security.createApiKey({ name: "my-restricted-api-key", role_descriptors: { "my-restricted-role-descriptor": { indices: [ { names: ["my-search-app"], privileges: ["read"], }, ], restriction: { workflows: ["search_application_query"], }, }, }, }); console.log(response);
POST /_security/api_key { "name": "my-restricted-api-key", "role_descriptors": { "my-restricted-role-descriptor": { "indices": [ { "names": ["my-search-app"], "privileges": ["read"] } ], "restriction": { "workflows": ["search_application_query"] } } } }