Get service account credentials API

edit

Get service account credentials API

edit

Retrieves all service credentials for a service account.

Request

edit

GET /_security/service/<namespace>/<service>/credential

Prerequisites

edit
  • To use this API, you must have at least the read_security cluster privilege (or a greater privilege such as manage_service_account or manage_security).

Description

edit

Use this API to retrieve a list of credentials for a service account. The response includes service account tokens that were created with the create service account tokens API as well as file-backed tokens from all nodes of the cluster.

For tokens backed by the service_tokens file, the API collects them from all nodes of the cluster. Tokens with the same name from different nodes are assumed to be the same token and are only counted once towards the total number of service tokens.

Path parameters

edit
namespace
(Required, string) Name of the namespace.
service
(Required, string) Name of the service name.

Examples

edit

The following request uses the create service account token API to create a service account token named token1 in the elastic/fleet-server service account:

resp = client.security.create_service_token(
    namespace="elastic",
    service="fleet-server",
    name="token1",
)
print(resp)
const response = await client.security.createServiceToken({
  namespace: "elastic",
  service: "fleet-server",
  name: "token1",
});
console.log(response);
POST /_security/service/elastic/fleet-server/credential/token/token1

The following request returns all credentials for the elastic/fleet-server service account:

resp = client.security.get_service_credentials(
    namespace="elastic",
    service="fleet-server",
)
print(resp)
const response = await client.security.getServiceCredentials({
  namespace: "elastic",
  service: "fleet-server",
});
console.log(response);
GET /_security/service/elastic/fleet-server/credential

The response includes all credentials related to the specified service account:

{
  "service_account": "elastic/fleet-server",
  "count": 3,
  "tokens": {
    "token1": {},        
    "token42": {}        
  },
  "nodes_credentials": { 
    "_nodes": {          
      "total": 3,
      "successful": 3,
      "failed": 0
    },
    "file_tokens": {      
      "my-token": {
        "nodes": [ "node0", "node1" ] 
      }
    }
  }
}

A new service account token backed by the .security index

An existing service account token backed by the .security index

This section contains service account credentials collected from all nodes of the cluster

General status showing how nodes respond to the above collection request

File-backed tokens collected from all nodes

List of nodes that (file-backed) my-token is found