Find API keys with a query Added in 7.15.0

GET /_security/_query/api_key

Get a paginated list of API keys and their information. You can optionally filter the results with a query.

To use this API, you must have at least the manage_own_api_key or the read_security cluster privileges. If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have the read_security, manage_api_key, or greater privileges (including manage_security), this API returns all API keys regardless of ownership.

Query parameters

  • Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors (effectively limited by it). An API key cannot retrieve any API key’s limited-by role descriptors (including itself) unless it has manage_api_key or higher privileges.

  • Determines whether to also retrieve the profile UID for the API key owner principal. If it exists, the profile UID is returned under the profile_uid response field for each API key.

  • typed_keys boolean

    Determines whether aggregation names are prefixed by their respective types in the response.

application/json

Body

  • Any aggregations to run over the corpus of returned API keys. Aggregations and queries work together. Aggregations are computed only on the API keys that match the query. This supports only a subset of aggregation types, namely: terms, range, date_range, missing, cardinality, value_count, composite, filter, and filters. Additionally, aggregations only run over the same subset of fields that query works with.

  • query object

    Additional properties are allowed.

    Hide query attributes Show query attributes object
    • match object

      Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

    • prefix object

      Returns documents that contain a specific prefix in a provided field.

    • range object

      Returns documents that contain terms within a provided range.

    • term object

      Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

    • wildcard object

      Returns documents that contain terms matching a wildcard pattern.

  • from number

    The starting document offset. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

  • sort string | object | array[string | object]

    One of:

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • size number

    The number of hits to return. It must not be negative. The size parameter can be set to 0, in which case no API key matches are returned, only the aggregation results. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

  • search_after array[number | string | boolean | null]

    A field value.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • total number Required

      The total number of API keys found.

    • count number Required

      The number of API keys returned in the response.

    • api_keys array[object] Required

      A list of API key information.

      Hide api_keys attributes Show api_keys attributes object
      • id string Required
      • name string Required
      • type string Required

        Values are rest or cross_cluster.

      • creation number

        Time unit for milliseconds

      • Time unit for milliseconds

      • invalidated boolean Required

        Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.

      • Time unit for milliseconds

      • username string Required
      • realm string Required

        Realm name of the principal for which this API key was created.

      • Realm type of the principal for which this API key was created

      • metadata object Required
        Hide metadata attribute Show metadata attribute object
        • * object Additional properties

          Additional properties are allowed.

      • The role descriptors assigned to this API key when it was created or last updated. An empty role descriptor means the API key inherits the owner user’s permissions.

        Hide role_descriptors attribute Show role_descriptors attribute object
        • * object Additional properties

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

            Additional properties are allowed.

          • remote_indices array[object]

            A list of indices permissions for remote clusters.

            Additional properties are allowed.

          • remote_cluster array[object]

            A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

            Additional properties are allowed.

          • global array[object] | object

            An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

          • applications array[object]

            A list of application privilege entries

            Additional properties are allowed.

          • metadata object
            Hide metadata attribute Show metadata attribute object
            • * object Additional properties

              Additional properties are allowed.

          • run_as array[string]

            A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • Optional description of the role descriptor

          • Additional properties are allowed.

            Hide restriction attribute Show restriction attribute object
            • workflows array[string] Required

              A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.

          • Hide transient_metadata attribute Show transient_metadata attribute object
            • * object Additional properties

              Additional properties are allowed.

      • limited_by array[object]

        The owner user’s permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.

        Hide limited_by attribute Show limited_by attribute object
        • * object Additional properties

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • cluster array[string]

            A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

          • indices array[object]

            A list of indices permissions entries.

          • remote_indices array[object]

            A list of indices permissions for remote clusters.

          • remote_cluster array[object]

            A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

          • applications array[object]

            A list of application privilege entries

          • metadata object
          • run_as array[string]

            A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

          • Optional description of the role descriptor

          • Additional properties are allowed.

      • access object

        Additional properties are allowed.

        Hide access attributes Show access attributes object
        • replication array[object]

          A list of indices permission entries for cross-cluster replication.

          Hide replication attributes Show replication attributes object
      • The profile uid for the API key owner principal, if requested and if it exists

      • _sort array[number | string | boolean | null]

        A field value.

    • The aggregations result, if requested.

GET /_security/_query/api_key
curl \
 --request GET http://api.example.com/_security/_query/api_key \
 --header "Content-Type: application/json" \
 --data '{"aggregations":{},"query":{"match":{},"prefix":{},"range":{},"term":{},"wildcard":{}},"from":42.0,"":"string","size":42.0,"search_after":[42.0]}'
Request examples
{
  "aggregations": {},
  "query": {
    "match": {},
    "prefix": {},
    "range": {},
    "term": {},
    "wildcard": {}
  },
  "from": 42.0,
  "": "string",
  "size": 42.0,
  "search_after": [
    42.0
  ]
}
Response examples (200)
{
  "total": 42.0,
  "count": 42.0,
  "api_keys": [
    {
      "id": "string",
      "name": "string",
      "type": "rest",
      "": 42.0,
      "invalidated": true,
      "username": "string",
      "realm": "string",
      "realm_type": "string",
      "metadata": {
        "additionalProperty1": {},
        "additionalProperty2": {}
      },
      "role_descriptors": {
        "additionalProperty1": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "remote_indices": [
            {}
          ],
          "remote_cluster": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "restriction": {
            "workflows": [
              "string"
            ]
          },
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        },
        "additionalProperty2": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "remote_indices": [
            {}
          ],
          "remote_cluster": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "restriction": {
            "workflows": [
              "string"
            ]
          },
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        }
      },
      "limited_by": [
        {
          "additionalProperty1": {
            "cluster": [
              "string"
            ],
            "indices": [
              {}
            ],
            "remote_indices": [
              {}
            ],
            "remote_cluster": [
              {}
            ],
            "applications": [
              {}
            ],
            "metadata": {},
            "run_as": [
              "string"
            ],
            "description": "string",
            "restriction": {},
            "transient_metadata": {}
          },
          "additionalProperty2": {
            "cluster": [
              "string"
            ],
            "indices": [
              {}
            ],
            "remote_indices": [
              {}
            ],
            "remote_cluster": [
              {}
            ],
            "applications": [
              {}
            ],
            "metadata": {},
            "run_as": [
              "string"
            ],
            "description": "string",
            "restriction": {},
            "transient_metadata": {}
          }
        }
      ],
      "access": {
        "replication": [
          {
            "allow_restricted_indices": true
          }
        ],
        "search": [
          {
            "field_security": {},
            "allow_restricted_indices": true
          }
        ]
      },
      "profile_uid": "string",
      "_sort": [
        42.0
      ]
    }
  ],
  "aggregations": {}
}