Create a cross-cluster API key

POST /_security/cross_cluster/api_key

Create an API key of the cross_cluster type for the API key based remote cluster access. A cross_cluster API key cannot be used to authenticate through the REST interface.

IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.

Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.

NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the access property.

A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

By default, API keys never expire. You can specify expiration information when you create the API keys.

Cross-cluster API keys can only be updated with the update cross-cluster API key API. Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.

application/json

Body Required

  • access object Required

    Additional properties are allowed.

    Hide access attributes Show access attributes object
    • replication array[object]

      A list of indices permission entries for cross-cluster replication.

      Hide replication attribute Show replication attribute object
      • names array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

  • A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

  • metadata object
    Hide metadata attribute Show metadata attribute object
    • * object Additional properties

      Additional properties are allowed.

  • name string Required

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • api_key string Required

      Generated API key.

    • Time unit for milliseconds

    • id string Required
    • name string Required
    • encoded string Required

      API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).

POST /_security/cross_cluster/api_key
curl \
 -X POST http://api.example.com/_security/cross_cluster/api_key \
 -H "Content-Type: application/json" \
 -d '{"access":{"replication":[{"names":["string"]}],"search":[{"field_security":{"except":"string","grant":"string"},"names":["string"],"":"string","allow_restricted_indices":true}]},"expiration":"string","metadata":{"additionalProperty1":{},"additionalProperty2":{}},"name":"string"}'
Request examples
{
  "access": {
    "replication": [
      {
        "names": [
          "string"
        ]
      }
    ],
    "search": [
      {
        "field_security": {
          "except": "string",
          "grant": "string"
        },
        "names": [
          "string"
        ],
        "": "string",
        "allow_restricted_indices": true
      }
    ]
  },
  "expiration": "string",
  "metadata": {
    "additionalProperty1": {},
    "additionalProperty2": {}
  },
  "name": "string"
}
Response examples (200)
{
  "api_key": "string",
  "": 42.0,
  "id": "string",
  "name": "string",
  "encoded": "string"
}