Create a cross-cluster API key

POST /_security/cross_cluster/api_key

Create an API key of the cross_cluster type for the API key based remote cluster access. A cross_cluster API key cannot be used to authenticate through the REST interface.

IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.

Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.

NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the access property.

A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

By default, API keys never expire. You can specify expiration information when you create the API keys.

Cross-cluster API keys can only be updated with the update cross-cluster API key API. Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.

External documentation
application/json

Body Required

  • access object Required

    Additional properties are allowed.

    Hide access attributes Show access attributes object
    • replication array[object]

      A list of indices permission entries for cross-cluster replication.

      Hide replication attribute Show replication attribute object
      • names array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

    • search array[object]

      A list of indices permission entries for cross-cluster search.

      Hide search attributes Show search attributes object
      • field_security object

        Additional properties are allowed.

        Hide field_security attributes Show field_security attributes object
      • names array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

      • query string | object

        While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.

        Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.

        One of:
        _types:IndicesPrivilegesQuery string query_dsl:QueryContainer object _types:RoleTemplateQuery object

        Additional properties are allowed.

        External documentation
      • allow_restricted_indices boolean

        Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

  • expiration string

    A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

  • metadata object
    Hide metadata attribute Show metadata attribute object
    • * object Additional properties

      Additional properties are allowed.

  • name string Required

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • api_key string Required

      Generated API key.

    • expiration number

      Time unit for milliseconds

    • id string Required
    • name string Required
    • encoded string Required

      API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).
POST /_security/cross_cluster/api_key 
curl \
 -X POST http://api.example.com/_security/cross_cluster/api_key \
 -H "Content-Type: application/json" \
 -d '{"access":{"replication":[{"names":["string"]}],"search":[{"field_security":{"except":"string","grant":"string"},"names":["string"],"":"string","allow_restricted_indices":true}]},"expiration":"string","metadata":{"additionalProperty1":{},"additionalProperty2":{}},"name":"string"}'
Request examples 
{
  "access": {
    "replication": [
      {
        "names": [
          "string"
        ]
      }
    ],
    "search": [
      {
        "field_security": {
          "except": "string",
          "grant": "string"
        },
        "names": [
          "string"
        ],
        "": "string",
        "allow_restricted_indices": true
      }
    ]
  },
  "expiration": "string",
  "metadata": {
    "additionalProperty1": {},
    "additionalProperty2": {}
  },
  "name": "string"
}
Response examples (200) 
{
  "api_key": "string",
  "": 42.0,
  "id": "string",
  "name": "string",
  "encoded": "string"
}