Create service account token API
editCreate service account token API
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Creates a service accounts token for access without requiring basic authentication.
Request
editPOST /_security/service/<namespace>/<service>/credential/token/<token_name>
PUT /_security/service/<namespace>/<service>/credential/token/<token_name>
POST /_security/service/<namespace>/<service>/credential/token
Prerequisites
edit-
To use this API, you must have at least the
manage_service_account
cluster privilege.
Description
editIn production mode, service accounts require TLS on the HTTP interface. A runtime check prevents you from invoking any related APIs or authenticating with a service account token unless TLS is enabled on the HTTP interface. See encrypt HTTP client communications for Elasticsearch.
A successful create service account token API call returns a JSON structure that contains the service account token, its name, and its secret value.
Service account tokens never expire. You must actively delete them if they are no longer needed.
Path parameters
edit-
namespace
- (Required, string) Name of the namespace.
-
service
- (Required, string) Name of the service name.
-
token_name
-
(Optional, string) Name for the service account token. If omitted, a random name will be generated.
Token names must be at least 1 and no more than 256 characters. They can contain alphanumeric characters (
a-z
,A-Z
,0-9
), dashes (-
), and underscores (_
), but cannot begin with an underscore.Token names must be unique in the context of the associated service account. They must also be globally unique with their fully qualified names, which are comprised of the service account principal and token name, such as
<namespace>/<service>/<token-name>
.
Examples
editThe following request creates a service account token:
POST /_security/service/elastic/fleet-server/credential/token/token1
The response includes the service account token, its name, and its secret value:
{ "created": true, "token": { "name": "token1", "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" } }
To use the service account token, include the generated token value in a
request with an Authorization: Bearer
header:
curl -H "Authorization: Bearer AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" http://localhost:9200/_cluster/health
If your node has xpack.security.http.ssl.enabled
set to true
, then
you must specify https
in the request URL.
The following request creates a service token with an auto-generated token name:
POST /_security/service/elastic/fleet-server/credential/token
The response includes the service account token, its auto-generated name, and its secret value:
{ "created": true, "token": { "name": "Jk5J1HgBuyBK5TpDrdo4", "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" } }