Create Cross-Cluster API key API
editCreate Cross-Cluster API key API
editCreates an API key of the cross_cluster
type for the API key based remote cluster access.
A cross_cluster
API key cannot be used to authenticate through the REST interface.
On the contrary, a REST API key is meant to be used through the REST interface
and cannot be used for the API key based remote cluster access.
Request
editPOST /_security/cross_cluster/api_key
Prerequisites
edit-
To use this API, you must have at least the
manage_security
cluster privilege.
To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.
Description
editCross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled. For instructions on disabling the API key service, refer to API key service settings.
A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.
By default, API keys never expire. You can specify expiration information when you create the API keys.
Refer to API key service settings for configuration settings related to API key service.
Cross-cluster API keys can only be updated with the Update Cross-Cluster API key API. Attempting to update them with the Update REST API key API or the Bulk Update REST API Keys API will result into an error. They can be retrieved and invalidated using Get API keys API, Query API keys API and Invalidate API keys API.
Request body
editThe following parameters can be specified in the body of a POST request:
-
name
- (Required, string) Specifies the name for this API key.
-
access
-
(required, object) The access to be granted to this API key. The access is composed of permissions for cross-cluster search and cross-cluster replication. At least one of them must be specified.
-
search
-
(optional, list) A list of indices permission entries for cross-cluster search.
-
names
- (required, list) A list of indices or name patterns to which the permissions in this entry apply.
-
field_security
-
(optional, object) The document fields that the owners of the role have
read access to. This may not be set when the
replication
field is also defined. For more information, see Field and document level security with cross-cluster API keys. -
query
-
(optional) A search query that defines the documents the owners of the role have
read access to. A document within the specified indices must match this query to be accessible by the
owners of the role. This may not be set when the
replication
field is also defined. For more information, see Field and document level security with cross-cluster API keys. -
allow_restricted_indices
-
(optional, boolean) This needs to be set to
true
(default isfalse
) if the patterns in thenames
field should cover system indices.
-
-
replication
-
(optional, list) A list of indices permission entries for cross-cluster replication.
-
names
- (required, list) A list of indices or name patterns to which the permissions in this entry apply.
-
-
No explicit privileges should be specified for either search
or replication access. The creation process automatically converts the access
specification
to a role descriptor which has relevant privileges assigned accordingly.
The access
value as well as its corresponding role_descriptors
are returned in responses of
Get API keys API and Query API keys API.
Unlike REST API keys, a cross-cluster API key
does not capture permissions of the authenticated user. The API key’s effective
permission is exactly as specified with the access
parameter.
-
expiration
- (optional, string) Expiration time for the API key. By default, API keys never expire.
-
metadata
-
(optional, object) Arbitrary metadata that you want to associate with the API key.
It supports nested data structure.
Within the
metadata
object, keys beginning with_
are reserved for system usage.
Examples
editThe following example creates a cross-cluster API key:
resp = client.perform_request( "POST", "/_security/cross_cluster/api_key", headers={"Content-Type": "application/json"}, body={ "name": "my-cross-cluster-api-key", "expiration": "1d", "access": { "search": [ { "names": [ "logs*" ] } ], "replication": [ { "names": [ "archive*" ] } ] }, "metadata": { "description": "phase one", "environment": { "level": 1, "trusted": True, "tags": [ "dev", "staging" ] } } }, ) print(resp)
const response = await client.transport.request({ method: "POST", path: "/_security/cross_cluster/api_key", body: { name: "my-cross-cluster-api-key", expiration: "1d", access: { search: [ { names: ["logs*"], }, ], replication: [ { names: ["archive*"], }, ], }, metadata: { description: "phase one", environment: { level: 1, trusted: true, tags: ["dev", "staging"], }, }, }, }); console.log(response);
POST /_security/cross_cluster/api_key { "name": "my-cross-cluster-api-key", "expiration": "1d", "access": { "search": [ { "names": ["logs*"] } ], "replication": [ { "names": ["archive*"] } ] }, "metadata": { "description": "phase one", "environment": { "level": 1, "trusted": true, "tags": ["dev", "staging"] } } }
Optional expiration for the API key being generated. If expiration is not provided then the API key does not expire. |
|
Cross-cluster search access to be granted to the API key. |
|
Cross-cluster replication access to be granted to the API key. |
A successful call returns a JSON structure that provides API key information.
{ "id": "VuaCfGcBCdbkQm-e5aOx", "name": "my-cross-cluster-api-key", "expiration": 1544068612110, "api_key": "ui2lp2axTNmsyakw9tvNnw", "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" }
Unique |
|
Optional expiration in milliseconds for this API key |
|
Generated API key secret |
|
API key credentials which is the Base64-encoding of the UTF-8
representation of the |
The API key information can be retrieved with the Get API key API.
resp = client.security.get_api_key( id="VuaCfGcBCdbkQm-e5aOx", ) print(resp)
const response = await client.security.getApiKey({ id: "VuaCfGcBCdbkQm-e5aOx", }); console.log(response);
GET /_security/api_key?id=VuaCfGcBCdbkQm-e5aOx
A successful call returns a JSON structure that contains the information of the API key:
{ "api_keys": [ { "id": "VuaCfGcBCdbkQm-e5aOx", "name": "my-cross-cluster-api-key", "type": "cross_cluster", "creation": 1548550550158, "expiration": 1548551550158, "invalidated": false, "username": "myuser", "realm": "native1", "metadata": { "description": "phase one", "environment": { "level": 1, "trusted": true, "tags": ["dev", "staging"] } }, "role_descriptors": { "cross_cluster": { "cluster": [ "cross_cluster_search", "cross_cluster_replication" ], "indices": [ { "names": [ "logs*" ], "privileges": [ "read", "read_cross_cluster", "view_index_metadata" ], "allow_restricted_indices": false }, { "names": [ "archive*" ], "privileges": [ "cross_cluster_replication", "cross_cluster_replication_internal" ], "allow_restricted_indices": false } ], "applications": [ ], "run_as": [ ], "metadata": { }, "transient_metadata": { "enabled": true } } }, "access": { "search": [ { "names": [ "logs*" ], "allow_restricted_indices": false } ], "replication": [ { "names": [ "archive*" ], "allow_restricted_indices": false } ] } } ] }
ID for the API key |
|
Name of the API key |
|
Type of the API key |
|
The role descriptors generated for the cross-cluster API key. It always
contains exactly one role descriptor named |
|
The cluster privileges necessary for the required cross-cluster access.
The value is |
|
The indices privileges corresponding to the required cross-cluster search access. |
|
The indices privileges corresponding to the required cross-cluster replication access. |
|
The |
To use the generated API key, configure it as the cluster credential as part of an API key based remote cluster configuration.